# IP Systems Ltd AS62741 Acquires A Lot Of IPs...



## DomainBop (Jul 13, 2015)

342,016 IPs to be exact acquired in a short period of time by this relatively new (domain registered October 25, 2014) British Virgin Islands Islands based low end VPS provider.  http://bgp.he.net/AS62741#_asinfo

Spamhaus is alleging that  3 of the /16's they acquired were hijacked by AS62741 and has put all 3 /16's on its DROP list.

http://www.spamhaus.org/sbl/query/SBL257918

Borealis - hijacked by AS62741

inetnum: 155.73.0.0 - 155.73.255.255

 

http://www.spamhaus.org/sbl/query/SBL257917

Global Network Services - hijacked by AS62741

 155.108.0.0 - 155.108.255.255

 

http://www.spamhaus.org/sbl/query/SBL257914

Rockwell Aerospace - hijacked by AS62741

CIDR: 130.196.0.0/16


----------



## Bruce (Jul 13, 2015)

interesting peering 

http://bgp.he.net/AS62741#_peers


----------



## Tyler (Jul 13, 2015)

A lot of IP's, indeed. A few things don't sit well with me:

-The fact that it is a British virgin islands company

-SpamHaus listing & accusation of IP hijacking

-342,016 IPs... for what?


----------



## Robert (Jul 13, 2015)

Tyler said:


> -342,016 IPs... for what?


Not hard too work it out.. http://bgp.he.net/net/104.255.136.0/21#_dns


----------



## DomainBop (Jul 13, 2015)

Bruce said:


> interesting peering
> 
> http://bgp.he.net/AS62741#_peers



The "premium" data center they use peers with TeliaSonera



Tyler said:


> -342,016 IPs... for what?


Renting IP blocks to others for one thing: http://www.webhostingtalk.com/showthread.php?t=1492094



Robert said:


> Not hard too work it out.. http://bgp.he.net/net/104.255.136.0/21#_dns


Not too hard to work it out if you go by Spamhaus' records of their IP space.


104.143.112.0/20 SBL and DROP http://www.spamhaus.org/sbl/query/SBL257921


104.255.136.0/21 SBL and DROP http://www.spamhaus.org/sbl/query/SBL257923


130.148.0.0/16 SBL (Hijacked) http://www.spamhaus.org/sbl/query/SBL257919


130.196.0.0/16 SBL (Hijacked) http://www.spamhaus.org/sbl/query/SBL257914


138.128.224.0/19 SBL and DROP http://www.spamhaus.org/sbl/query/SBL257920


155.73.0.0/16 SBL (Hijacked) http://www.spamhaus.org/sbl/query/SBL257918


155.108.0.0/16 SBL (Hijacked) http://www.spamhaus.org/sbl/query/SBL257917


155.249.0.0/16 SBL (Hijacked) http://www.spamhaus.org/sbl/query/SBL257915


Every single one of their 342,016 IP addresses (i.e. 100.00%) is dirty and blacklisted by Spamhaus, and the majority of them are listed as hijacked IPs and on the DROP ("don't peer or route") list.


edited to add:



> Spamhaus is alleging that 3 of the /16's they acquired were hijacked by AS62741 and has put all 3 /16's on its DROP list.


All 5 of the /16's they announce are now listed as hijacked IPs


----------



## Munzy (Jul 13, 2015)

You can always have fun and null there whole asn 

https://www.enjen.net/asn-blocklist/index.php?asn=AS62741&type=iptables


----------



## drmike (Jul 13, 2015)

Stolen IPs.... stuff with it and others on spamming ranges..... yeah lots going on wrong with this picture.

As always I read the copy on their website.


"Isolated and SecureYour VPS is a container only accessible to you, which provides far better isolation and security compared to traditional shared hosting. We use ploop (containerized filesystems) to ensure the best file system isolation possible."
Ploop is an isolation feature now?>!?!??!?!?!

 

Then the icing on that fruitcake

 



```
first swipe panel on homepage

"Host your IPs with IP Systems LTD

We offer high quality virtual private servers for web and SEO professionals to better optimize their sites."
```
Who goes to find a host for IPs like this?  Then they bang that hole in the ground really good by targeting SEO optimizers.

Unsure who is behind the shell, but it's unsavory.  Virgin Islands incorporation was to throw folks off path and no details there to be found.

Suspect I'll hear someone whining about the mean folks in the interwebs with the magnifying lens.

Ploop + fake isolation / inferred privacy + stolen IPs + SEO... Whee.  I know WORK is a four letter word, but so is SCAM.


----------



## Tyler (Jul 13, 2015)

Cross-posting from LET.
 

http://lowendtalk.com/discussion/56769/ip-systems-ltd-a-complaint

Some are saying their IPs are not blacklisted...


----------



## FlamesRunner (Jul 13, 2015)

And again, it is possible that Spamhaus just doesn't like them so they put IPSystems LTD on their blocklist... (I still remember Colocrossing, wasn't fun)


----------



## SkylarM (Jul 13, 2015)

FlamesRunner said:


> And again, it is possible that Spamhaus just doesn't like them so they put IPSystems LTD on their blocklist... (I still remember Colocrossing, wasn't fun)


Yeah they totally just didn't like ColoCrossing and put IP ranges on their blocklist.


----------



## drmike (Jul 13, 2015)

Who would have thought that these plans wouldn't work out for a multitude of reasons?


VM-512 Special 
512MB RAM 
64MB VSWAP 
5GB SSD Disk Space (RAID Protected) 
3 x IPV4 Addresses 
/64 IPv6 Included 
500GB Bandwidth included @ 1Gbit port speed
Instant setup 
OpenVZ Virtualization with SolusVM Control Panel 
$4.80/year (Less than .50 per month!), payment via Paypal or Bitcoin (Annual payment required) 



VM-1024 Special 
1024MB RAM 
64MB VSWAP 
10GB SSD Disk Space (RAID Protected)
6 x IPV4 Addresses 
/64 IPv6 Included 
1000GB Bandwidth included @ 1Gbit port speed
Instant setup 
OpenVZ Virtualization with SolusVM Control Panel 
$9.60/year (Less than 1.00 per month!), payment via Paypal or Bitcoin (Annual payment required) 


$5 or $10 for year...  3 or 6 IPv4 addresses.  6 IPs certainly would require proper justification.

Ya' IP grab much mon?

http://bgp.he.net/AS62741#_prefixes


Issued:
104.143.112.0/20	IP Systems Limited Virgin Islands, British
104.255.136.0/21	IP Systems Limited Virgin Islands, British
138.128.224.0/19    IP Systems Limited Virgin Islands, British

Stolen:
130.148.0.0/16	GEC Sensors Limited United Kingdom
130.196.0.0/16	Rockwell Aerospace United States
155.73.0.0/16	Borealis Austria
155.108.0.0/16	Global Network Services United States
155.249.0.0/16	Tandon PLC United Kingdom

Aerospace... A poly chemical company...  A UK company.. and an anonymous name company that may be involved in who knows what...   Strange subset of IPs stolen.  All big /16 blocks...  Maybe it's time corporate at each each was made aware of unaccounted for assets.

I see on some of those spam DNS info.... someone shit in those ranges.


----------



## dcdan (Jul 13, 2015)

How do you even steal that many IPs? Wouldn't they need to send a LOA to upstreams or something? How do you get upstreams to allow you announce something you do not own?


----------



## Wintereise (Jul 13, 2015)

dcdan said:


> How do you even steal that many IPs? Wouldn't they need to send a LOA to upstreams or something? How do you get upstreams to allow you announce something you do not own?


By using upstreams that have shitty or non-existent filtering.

Yes, they still exist.


----------



## dcdan (Jul 13, 2015)

Wintereise said:


> By using upstreams that have shitty or non-existent filtering.
> 
> Yes, they still exist.


I am looking at this:

http://bgp.he.net/AS62741#_graph4

Does this mean Telia Sonera qualifies?


----------



## William (Jul 14, 2015)

FlamesRunner said:


> And again, it is possible that Spamhaus just doesn't like them so they put IPSystems LTD on their blocklist... (I still remember Colocrossing, wasn't fun)


Borealis is an Austrian company and did neither sell nor rent their /16 to them - It was hijacked.


----------



## Bruce (Jul 14, 2015)

how easy is it to hijack IPs ? if they're not being announced, anyone else can ?

like this /22 

AS60148

is there a published list of "hijackable" IP blocks ? not that I want any. just interested in what's going on with unused blocks. would be good if ICANN revoked allocations when they're not used for a certain amount of time. now that IPv4 is depleted, this cybersquatting of IP blocks will become a bigger issue (hopefully)


----------



## Tyler (Jul 14, 2015)

FlamesRunner said:


> And again, it is possible that Spamhaus just doesn't like them so they put IPSystems LTD on their blocklist... (I still remember Colocrossing, wasn't fun)


SpamHaus is not just some bully that lists people without reason. Let's not paint them as such.

Take a look at what happened with ColoCrossing (bird's eye view).

-ColoCrossing's IP's got listed and kept getting listed as part of escalations

-ColoCrossing made efforts to clean up its network. 

-Within about a month, most of ColoCrossing's IP's got de-listed. Anyone from HVH or CC will tell you that they now have clean IP's.

SpamHaus is just listing them because they didn't like ColoCrossing?


----------



## DomainBop (Jul 14, 2015)

Tyler said:


> -Within about a month, most of ColoCrossing's IP's got de-listed. *Anyone from HVH or CC will tell you that they now have clean IP's.*


That depends on your definition of clean. They still have an entire /15 blacklisted so 131K dirty IPs or close to 17% of their 785K total. Compare that to a larger provider like Hetzner who has only 1 IP (out of 838K) blacklisted, or a giant with millions of customers like GoDaddy with only 4 IPs out of 863K blacklisted.

If you look at SenderBase CC still has a lot of IPs with poor reputations despite being removed from Spamhaus blacklists.  Poor reputation = you're going to have problems sending mail to some corporate networks. http://www.senderbase.org/lookup/domain/?search_string=colocrossing.com .

They also remain one of the worst networks for hosting forum spammers and other web based threats: https://cleantalk.org/blacklists/AS36352

Their buddies, ServerMania/ B2 Net , who are single homed to them still have a /16, or about 15% of their IPs blacklisted.



> Some are saying their IPs are not blacklisted...


Every IP range in IPSystems AS is blacklisted so if someone has a VPS with an IP that isn't blacklisted then IPSystems is likely using their DC providers's IPs for some of their customers (their own website uses an IP from their DC provider  http://bgp.he.net/dns/ipsystemsltd.com#_ipinfo )


----------



## joepie91 (Jul 14, 2015)

Tyler said:


> SpamHaus is not just some bully that lists people without reason.


Without reason? Maybe not. But their 'reasons' certainly aren't always valid reasons for rejecting e-mail (or other services) from an IP.

Spamhaus doesn't exactly have a clean history either - quite a few documented instances of them blacklisting IPs because they didn't like the response from the provider (regardless of whether any spam was sent), because the provider hosted content that was critical of Spamhaus, or because of reasons _completely_ unrelated to spam (eg. "phishing page").

Given their poor track record of responding to delisting requests from smaller companies, I certainly wouldn't classify them as a 'legitimate' organization - internal and external politics play a large role in whether somebody gets listed or not, and there's lots of burned bridges everywhere. They are, at best, a group of often-misfiring vigilantes.

Their habit of immediately playing the "but would you trust what a criminal/spammer says?!" card upon any criticism (whether any such crime or spam has been proven/occurred or not) doesn't exactly reinforce their legitimacy either.


----------



## Robert (Jul 14, 2015)

joepie91 said:


> Given their poor track record of responding to delisting requests from smaller companies, I certainly wouldn't classify them as a 'legitimate' organization


Can attest to this..


----------



## TheLonely (Jul 14, 2015)

DomainBop said:


> Every IP range in IPSystems AS is blacklisted so if someone has a VPS with an IP that isn't blacklisted then IPSystems is likely using their DC providers's IPs for some of their customers (their own website uses an IP from their DC provider http://bgp.he.net/dns/ipsystemsltd.com#_ipinfo )


I know some which aren't blacklisted on AS40440.


----------



## DomainBop (Aug 7, 2015)

If I had a dime for every time some f*cktard called Spamhaus a criminal organization or said Spamhaus had extorted clownA or blackmailed tardB...

IPSystemsLtd owner surfaced today on LET:



Quote said:


> Dear All
> 
> The problems we are facing are very large.
> 
> ...


 In other news: when this thread began last month IPSystems Ltd AS62741 had 342,016 IP addresses.  They now have only 14,336 after the removal of all of those hijacked IP ranges.

Does the IP hijacking matter to the average bargain hunting low end VPS buyer? Probably not.  If I had a dollar for every time a provider engaged in unethical behavior (or had a performance record that was so bad that it made Yugos look reliable in comparison) and buyers were willing to overlook it because it was a _really, really good deal_...


----------



## drmike (Aug 8, 2015)

Allan ehh? interesting.... 

How does a nothing company that sprang up out the of the woodwork pretty recently (or am I wrong here), seemed to have amassed 14k IPs?

If it wasn't for stealing other /16's and selling some stupid as crap annuals I wouldn't have even noticed this company.   Okay, well I might have when Centarra  kept flapping from lips... but yeah...

And this shitco is mad cause others are slapping it wrongly... oh really....  steals ranges, but other folks are the bad people.  Steal ranges and do so from government and military associated, lucky a big bird didn't fly over your house and wipe you clean from the planet.  I don't know, picking wrong entities to punk.


----------

