Mailing List Archive

The Curious Case of 143.95.0.0/16
Fair Warning: Those of you not enamored of my long-winded exposés of
various remarkable oddities of the IPv4 address space may wish to click
on the tiny little wastebasket icons on your mail clients at this
point. For the rest of you, please read on. I think you may find the
following story intriguing. It contains at least a few surprising
twists.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_


Our story today consists of three acts.


Act 1 - It is Born
------------------

In mid-February of 1990 a new venture-capital backed company was formed in
Sunnyvale, California. In some ways it was no different than the hundreds
or thousands of hopeful high-tech startups that had been formed in Silicon
Valley, both before and since. It started with a hopeful dream that, in
the end, just didn't work out.

The founders of this company settled initially on a temporary placeholder
company name, XYZ Corporation:

https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view

The mission of the company was to design and manufacture so-called X-Windows
terminals. These would be diskless workstations, complete with CPUs, color
(CRT) displays, graphics, memory, and an ethernet interface. The basic
idea what that such a diskless workstation could run the free X-Windows
client software, and that the system would be cheaper than ordinary PeeCees
due to it not having any hard drives or optical drives.

By some odd twist of fate, I myself was working in the same geographic area
as a software engineer at around the same time, but I worked for a different
Silicon Valley startup, just down the road from XYZ Corporation. And by a
rather remarkable coincidence, the company I worked for had exactly the
same goal and mission as the XYZ Corporation. The name of this other
X-Windows workstation startup was Network Computing Devices, or just "NCD"
for short.

Quite obviously, both companies were inherently "network-centric" and thus,
both requested and were granted blocks of IPv4 addresses. That wasn't at
all within my area of responsibility at NCD, so I don't know who actually
issued those blocks. My guess, based on published historical accounts,
was that it was most probably Dr. Jon Postel who assigned the blocks. I'm
sure that someone will correct me if I'm wrong.

Months passed, and eventually the founders of XYZ Corporation settled on
something they would use as a permanent replacement for their temporary
placeholder corporate name. They decided to call the thing Athenix, Inc.
Once they had settled on that name, they filed papers to update their
records with the California Secretary of State's office:

https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view

At some point, they also and likewise updated the ARIN WHOIS record for the
/16 block which had been assigned to them, on or about 1990-09-06, as was
appropriate to reflect their new permanent corporate identity:

https://pastebin.com/raw/YbH6zYrR

More time passed and eventually it became clear that the entire world was
not in fact breathlessly waiting for -two- companies to bring to market
diskless X-Windows workstations. In fact, as history now shows, market
demand would not support even one such company over the long term.

Thus it came to pass in the year 1993 that an all-too-familiar end-of-life
ritual played out once again in Silicon Valley. At Athenix, Inc. HQ in
Sunnyvale, the people were all let go, including the founders. The desks,
the chairs, the phones, the computers, and the tools were all sold at
auction, with the proceeds going to the preferred shareholders, i.e. the
poor fools who had put up all of the money for this now-failed venture in
the first place, the venture capitalists. Foremost among those in this
instance, was the venerable Menlo Park venture capital firm Kleiner Perkins.

I've confirmed this historical account of the rise and fall of the original
1990-vintage Athenix, Inc. in multiple phone and email exchanges with both
the original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately
of Los Altos, California, and also the original CTO of the company, Mr. John
Garman, lately of Reno, Nevada.


Act 2 - Rebirth - The Athenix Phoenix
-------------------------------------

Fast forward fifteen years. On April 22, 2008 a pair of gentlemen in
the Commonwealth of Massachusetts elected to establish a new corporate
entity within the commonwealth. It's name would be Athenic, Inc.[1]

https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view

As you can see in the documents above, a certain Mr. Ofer Inbar and a certain
Mr. Robert Anita, both of the greater Boston area, formed this new corporate
entity in Massachusetts. At its formation, the younger Mr. Inbar was the
President, while the more senior Mr. Antia served as the corporate secretary
and treasurer.

Various other records, which I shall not include here, suggest that both Mr.
Inbar and Mr. Anita were at some point in the distant past affiliated, in
at least some tangential way, with the well-regarded white-hat Boston area
hacking collective known as L0pht, aka L0pht Heavy Industries. I cannot
say much about this apparent connection, other than to say that the details
I have ferreted out about this connection are sketchy at best.

I do however have it on reasonably good authority that Mr. Inbar has of late
relocated to the greater Seattle metropolitan area, and that he is or was
working as a network administrator for Google, Inc. in that area. Mr. Antia,
in contrast, is still, when I last checked, a resident of the greater Boston
area, and is a well regarded "graybeard" in the computing community in and
around Boston, having been in the business, one way or another, for decades.
Mr. Anita currently serves as President of the Boston area chapter of the
public/private critical infrastructure cybersecurity defense partnership
known as InfraGuard.

https://infragard-boston.org/

The evidence currently available to me suggests that not long after the
creation of Mr. Inbar's and Mr. Antia's Massachusetts Athenix, Inc., ARIN
elected to delegate responsibility for the reverse DNS for the 143.95.0.0/16
IPv4 block to a pair of name servers called dns1.athenixinc.com and
dns2.athenixinc.com. That delegation was already in place by 2010-06-24,
which is about the time that Farsight Security Inc., my data source, first
began passively collecting its historical archives of DNS response records.

Historical records made available to me by Domaintools, LLC indicate that
the athenixinc.com domain name was, at least initially, registered to Mr.
Anita in Lincoln, Massachusetts.

https://pastebin.com/raw/GNhbFDFz

Subsequent historical WHOIS data collected by Domaintools in relation to
the athenixinc.com domain name shows that after Mr. Anita, the domain name
registration passed into the hands of at least one other individual, and
eventually, to an entirely different corporate entity. We will come to
that shortly.

Almost a year ago now, when I was first investigating the 143.95.0.0/16
block, I attempted to interview Mr. Inbar by phone regarding his and Mr.
Anita's Athenix, Inc. and the unusual history of the 143.95.0.0/16 block.
It did not go well. Mr. Inbar was apparently reluctant to engage with
me by phone on these or any other topics. He and I did have a few brief
and truncated email exchanges after that however, but apparently my
questions regarding how Mr. Inbar and Mr. Anita came to exercise effective
day-to-day control over the 143.95.0.0/16 ARIN legacy block were not ones
that Mr. Inbar felt in any way obliged to answer, and at some point he
simply ceased answering my emails.

In contrast, Mr. Antia was a veritable fount of information and he and I
had multiple phone conversations as well as multiple email exchanges. From
these exchanges I quickly deduced that Mr. Antia saw absolutely nothing
wrong with, much less anything at all to be shy about with respect to the
history of the 143.95.0.0/16 block -or- his formation, along with Mr. Inbar,
of a new Athenix, Inc. in Massachusetts back in in 2008. Quite the contrary!
Mr. Anita was kind enough for forward me a copy of the following really
rather remarkable lease agreement, in which Mr. Inbar and Mr. Anita together
undertook to lease the 143.95.0.0/16 IPv4 block to a certain Nevada-
incorporated and Colorado-resident limited liability company known as
Media Breakaway, LLC:

https://drive.google.com/file/d/1ASXrUsiNAIq1IIZO5Lw1BqjD1qucqFmI/view

As you can see, the term of the lease is 20 years, beginning from the 28th
day of May, 2008. The compensation to be paid to Mr. Inbar's and Mr. Anita's
Massachusetts Athenic, Inc. in return for this 20 year leasehold was to be
$100,000 USD As Mr. Anita related to me, this sum was in fact paid, and Mr.
Inbar and Mr. Anita split it evenly. (But of course, I have no way to
independently verify that.)

For those unaware, I pause here just long enough to note that the CEO
of Media Breakaway, LLC is none other than Mr. Scott Richter, one-time
"Spam King" and a man who both Wikipedia and the KrebsOnSecurity blog
have asserted is a convicted felon. And of couurse, this is the very same
Scott Richter who figured so prominently in Brian Krebs' report about
pilfered legacy ARIN /16 blocks, published on the Washington Post, way back
in April, 2008.

Of course, in my phone conversations with Mr. Anita, I acquainted him with
these relevant historical allegations. He confessed at the time that he
had not personally done much at all in the way of due diligence with respect
to either Mr. Richter or his company -- a lapse which I personally found
(and find) quite unfortunate, to say the least, and not least because of
Mr. Anita's position as the President of the Boston Chapter of Infraguard,
the public/private partnership whose mission is the protection of the
nation's critical infrastructure assets from cyber-threats. I would have
hoped that a person in such a position would have been in the general
habit of exercising at least some due diligence with respect to the people
he does business with and, in this specific instance, preferably at some
moment *before* Mr. Anita cashed his $50,000 check.


Act 3 - Final Dispensation
--------------------------

Now we come to the final remarkable chapter in the already remarkable
history of the 143.95.0.0/16 legacy IPv4 ARIN address block.

Some months after the formation of the Massachusetts "Athenix, Inc.", on
Sepetember 2nd, 2008 a new corporate entity calling itself "Athenix
Corporation" was incorporated in the State of California. Curiously, this
third Athenix gave both its actual address and its mailing address as 10
Corporate Drive, Burlington, MA 01813.

https://drive.google.com/file/d/1GHhwuPGPKdx5n46cYQ2UhTGiMSdxonFu/view
https://drive.google.com/file/d/1ZLtcY2HWoi5vmNFAJleHep8DxIS3igVR/view

As it happens, that street address is also the headquarters address of the
publicly-traded Endurance International Group, Inc. (EIGI).

There is substantial evidence indicating that EIGI is effectively in complete
functional control of the 143.95.0.0/16 address block at the present moment.

The company's primary ASN, AS29873 and also, an AS number belonging to one
of the company's many acquired subsidiaries, A Small Orange LLC, AS62729
are each routing significant portions of the 143.95.0.0/16 block at the
present time.

https://bgp.he.net/AS29873#_prefixes
https://bgp.he.net/AS62729#_prefixes

Additionally, on or about 2017-05-22, EIGI became the registrant of the
athenixinc.com domain, whose associated name servers (dns1 dns2) had
provided revserse DNS service for the entire 143.95.0.0/16 block during
2011 and 2012. Delegation of the reverse DNS responsibility for the
entire 143.95.0.0/16 block changed on or about 2013-11-28 so that the
new name servers were ones associated with the domain name asonoc.com,
at least according to the relevant historical data provided to me by
Farsight Security, Inc.

https://pastebin.com/raw/MVmzhirc

Historically, and as recently as 2018-04-20, the domain name asonoc.com
was and has been registered to the EIGI subsidiary A Small Orange LLC.

https://pastebin.com/raw/Xy8UHZNw

Responsibility for the reverse DNS for the entire 143.95.0.0/16 block
remains delegated to the rdns1.asonoc.com and rdns2.asonoc.com name
servers at the present moment.

EIGI is primarily a web hosting company. It has, over time. exhibited a
tendency to acquire other and smaller web hosting companies which it has
then absorbed into and under its corporate unbrella. Unlike most other
corporate acquirers however, EIGI is somewhat unique in its notable tendency
to not rebrand its acqusitions so that they would be additive to its main
corporate brand, generally electing instead to maintain the pre-acqusition
brand names for its newly acquired web hosting businesses. One such EIGI-
acquired propery that has retained its pre-acqusition brand name is the
aforementioned Texas-based web hosting company called A Small Orange LLC,
aka AS62729.

(Those who may be interested in more backgound regarding EIGI and past
controversies, specifically with relating to the company's accounting
practices as well as the online activities of its clientele, are encouraged
to consult the footnotes below.[2])

The available evidence suggests the clear possibility that EIGI and its
subsidiary, A Small Orange LLC. may be controling and using the 143.95.0.0/16
block in a manner inconsistant with ordinary business rules of fair dealing
and/or in a manner inconsistant with current ARIN policy, and further, that
the company and/or its various C-suite officers may have arrived at this
current situation not by happentance but rather by some very carefully
considered premeditation.

I mention specifically EIGI's C-suite officers, because the available
evidence suggests that EIGI's apparent takeover of the 143.95.0.0/16
block was not purely or only the product of some unsanctioned rogue
activity on the part of lower-level company functionaries. Multiple
publicly available records obtained from the web site of the California
Secretary of State implicate multiple current and former EIGI C-suite
officers as having been, at the very least, directly aware of the formation
of the third "Athenix", even if perhaps not directly or personally
responsible for that rather suspicious company formation.

https://drive.google.com/file/d/12gm41jG9iFIC9KvIJmfWNjUqCmRtTfxN/view
https://drive.google.com/file/d/1zdhru_hpYVIJfVKi-s5X1MW0znrErJzQ/view
https://drive.google.com/file/d/1dVHDSPKD4Qvur9rzCK9YZDEtOkFA2raS/view

Plese note that Mr. Hari Ravichandran is the now-former CEO of EIGI. Mr.
David Bryson was and remains EIGI's Chief Legal Officer. Mr. Marc
Montagner was and remains EIGI's Chief Financial Officer. Mr. Jeffrey Fox
is EIGI's current CEO, having succeded Mr. Ravichandran in that post.

https://www.endurance.com/our-company/our-team

https://exechange.com/7850/endurance-ceo-hari-ravichandran-leaves-2/7850
https://www.linkedin.com/in/hari-ravichandran-9b949b8
https://jumpv.com/meet-the-team/

https://www.linkedin.com/in/davidbryson
https://www1.salary.com/David-C-Bryson-Salary-Bonus-Stock-Options-for-ENDURANCE-INTL-GRP-HLDGS-INC.html

https://www.linkedin.com/in/marc-montagner-b112a1b1
https://wallmine.com/people/6106/marc-montagner

https://www.linkedin.com/in/jeff-fox-820a0413
https://wallmine.com/people/2962/jeffrey-h-fox

Given that EIGI's rights in and/or legal title to the 143.95.0.0/16 block
appear to be, at best, on somewhat shaky ground, and given that the new
2008-vintage Athenix Corporation does not obviously possess any other
obvious or apparent assets to speak of, it appears, to this writer at
least, more than a little incongruous to see that EIGI apparently listed
Athenix Corporation as a collateral asset on what, to a layman such as
myself, appears to be a bank collateral statement which was filed, apparently
in 2013, with the United States Securities and Exchange Comission.

https://www.sec.gov/Archives/edgar/data/1237746/000119312514077774/d635170dex1025.htm

All I can say about that is that I personally was turned down for a bank
loan, some years ago, when I attempted to use the monthly -liability- of
my recurring water bills as collateral for the loan. But then I have
never been anywhere near as accomplished at high finance as any of the
gentlemen mentioned above surely are.


Responses
---------

More than 24 hours prior to posting this message, I reached out to the press
contact email address listed on EIGI's web site, press (at) endurance.com,
for comment about the facts elaborated above. No response was received from
the company by press time.

Prior to posting, I also reached out to John Curran @ ARIN for his response
to the facts set forth above. John was kind enough to provide the following
official on-the-record ARIN response:

ARIN does not comment on specific registry changes (as number resource
change requests are made in confidence), but we do take matters of
potential number resource fraud quite seriously. I would recommend that
you report potential incidents of registry fraud (if you have not done
so already) via our Internet Number Resource Fraud Reporting process at
https://www.arin.net/resources/fraud/, and we will promptly investigate.
– John Curran, CEO, ARIN

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_

FULL DISCLOSURE: I hold no postions, either short or long in EIGI or in
any related company.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_

Acknowledgements
----------------

My thanks to Farsight Security, Inc. and to Domaintools, LLC for their
kind support of this research.


Footnotes:
=======================================================================
[1] Rather remarkably, the Massachusetts Athenix, Inc. was incorporated
a mere six days before my friend, journalist Brian Krebs, put up a story
on the Washington Post web site, detailing how a pair of legacy ARIN IPv4
/16 blocks had somewhat inexplicably ended up in the hands of one of the
world's most notorious spammers, Scott Richter. That story, as some of you
will already know, alleged that a rather simple and yet elaborate fraud had
been perpetrated against ARIN, a fraud which amounted to nothing less than
corporate identity theft, with the one and only apparent goal being the
effective take-over of two quite valuable legacy ARIN IPv4 /16 blocks, a
goal which was, it appeared, successfully achieved with only a relatively
minor investment of effort and expense.

[2] In recent years, all has not gone well for EIGI. In the year 2015, a
somewhat mysterious New York City short seller using the pen name Gotham
City Research published a sequence of four reports detailing his beliefs
that all was not as it should be at EIGI, both with respect to the company's
financial statements and with respect to its clientele and their (allegedly)
questionable online activities.

2015-04-28 - Endurance International Group - A Web of Deceit
https://bit.ly/2KZXPLA

2015-04-29 - Initial Follow-up To: A Web of Deceit
https://bit.ly/2L5Vv4o

2015-05-05 - EIGI’s Adjusted EBITDA is a Meaningless Metric
https://bit.ly/342x4xE

2015-08-03 - Endurance International Group: Malicious Activities
https://bit.ly/30Gk4vr

The value of EIGI stock dropped rather precepitously following the publication
of the Gotham City Research reports and has yet to recover to its earlier
highs.

https://drive.google.com/file/d/1BaGzFglnrbAca9DsRIqt2eD0m_jnrCMw/view

The SEC's investigation of EIGI, and the SEC's subsequent enforcement actions
against the company and its officers in 2018 also didn't help matters much
with respect to EIGI and its stock price:

https://www.sec.gov/enforce/33-10504-s
https://www.bizjournals.com/boston/news/2018/08/22/former-endurance-group-execs-pay-1-4m-to-settle.html
Re: The Curious Case of 143.95.0.0/16 [ In reply to ]
Ronald,

I have one question, “of late”, regarding your post: Is it “Antia” or “Anita”?

:)

-mel

> On Aug 27, 2019, at 11:27 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
>
> Fair Warning: Those of you not enamored of my long-winded exposés of
> various remarkable oddities of the IPv4 address space may wish to click
> on the tiny little wastebasket icons on your mail clients at this
> point. For the rest of you, please read on. I think you may find the
> following story intriguing. It contains at least a few surprising
> twists.
>
> +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
>
>
> Our story today consists of three acts.
>
>
> Act 1 - It is Born
> ------------------
>
> In mid-February of 1990 a new venture-capital backed company was formed in
> Sunnyvale, California. In some ways it was no different than the hundreds
> or thousands of hopeful high-tech startups that had been formed in Silicon
> Valley, both before and since. It started with a hopeful dream that, in
> the end, just didn't work out.
>
> The founders of this company settled initially on a temporary placeholder
> company name, XYZ Corporation:
>
> https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view
>
> The mission of the company was to design and manufacture so-called X-Windows
> terminals. These would be diskless workstations, complete with CPUs, color
> (CRT) displays, graphics, memory, and an ethernet interface. The basic
> idea what that such a diskless workstation could run the free X-Windows
> client software, and that the system would be cheaper than ordinary PeeCees
> due to it not having any hard drives or optical drives.
>
> By some odd twist of fate, I myself was working in the same geographic area
> as a software engineer at around the same time, but I worked for a different
> Silicon Valley startup, just down the road from XYZ Corporation. And by a
> rather remarkable coincidence, the company I worked for had exactly the
> same goal and mission as the XYZ Corporation. The name of this other
> X-Windows workstation startup was Network Computing Devices, or just "NCD"
> for short.
>
> Quite obviously, both companies were inherently "network-centric" and thus,
> both requested and were granted blocks of IPv4 addresses. That wasn't at
> all within my area of responsibility at NCD, so I don't know who actually
> issued those blocks. My guess, based on published historical accounts,
> was that it was most probably Dr. Jon Postel who assigned the blocks. I'm
> sure that someone will correct me if I'm wrong.
>
> Months passed, and eventually the founders of XYZ Corporation settled on
> something they would use as a permanent replacement for their temporary
> placeholder corporate name. They decided to call the thing Athenix, Inc.
> Once they had settled on that name, they filed papers to update their
> records with the California Secretary of State's office:
>
> https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view
>
> At some point, they also and likewise updated the ARIN WHOIS record for the
> /16 block which had been assigned to them, on or about 1990-09-06, as was
> appropriate to reflect their new permanent corporate identity:
>
> https://pastebin.com/raw/YbH6zYrR
>
> More time passed and eventually it became clear that the entire world was
> not in fact breathlessly waiting for -two- companies to bring to market
> diskless X-Windows workstations. In fact, as history now shows, market
> demand would not support even one such company over the long term.
>
> Thus it came to pass in the year 1993 that an all-too-familiar end-of-life
> ritual played out once again in Silicon Valley. At Athenix, Inc. HQ in
> Sunnyvale, the people were all let go, including the founders. The desks,
> the chairs, the phones, the computers, and the tools were all sold at
> auction, with the proceeds going to the preferred shareholders, i.e. the
> poor fools who had put up all of the money for this now-failed venture in
> the first place, the venture capitalists. Foremost among those in this
> instance, was the venerable Menlo Park venture capital firm Kleiner Perkins.
>
> I've confirmed this historical account of the rise and fall of the original
> 1990-vintage Athenix, Inc. in multiple phone and email exchanges with both
> the original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately
> of Los Altos, California, and also the original CTO of the company, Mr. John
> Garman, lately of Reno, Nevada.
>
>
> Act 2 - Rebirth - The Athenix Phoenix
> -------------------------------------
>
> Fast forward fifteen years. On April 22, 2008 a pair of gentlemen in
> the Commonwealth of Massachusetts elected to establish a new corporate
> entity within the commonwealth. It's name would be Athenic, Inc.[1]
>
> https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
> https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view
>
> As you can see in the documents above, a certain Mr. Ofer Inbar and a certain
> Mr. Robert Anita, both of the greater Boston area, formed this new corporate
> entity in Massachusetts. At its formation, the younger Mr. Inbar was the
> President, while the more senior Mr. Antia served as the corporate secretary
> and treasurer.
>
> Various other records, which I shall not include here, suggest that both Mr.
> Inbar and Mr. Anita were at some point in the distant past affiliated, in
> at least some tangential way, with the well-regarded white-hat Boston area
> hacking collective known as L0pht, aka L0pht Heavy Industries. I cannot
> say much about this apparent connection, other than to say that the details
> I have ferreted out about this connection are sketchy at best.
>
> I do however have it on reasonably good authority that Mr. Inbar has of late
> relocated to the greater Seattle metropolitan area, and that he is or was
> working as a network administrator for Google, Inc. in that area. Mr. Antia,
> in contrast, is still, when I last checked, a resident of the greater Boston
> area, and is a well regarded "graybeard" in the computing community in and
> around Boston, having been in the business, one way or another, for decades.
> Mr. Anita currently serves as President of the Boston area chapter of the
> public/private critical infrastructure cybersecurity defense partnership
> known as InfraGuard.
>
> https://infragard-boston.org/
>
> The evidence currently available to me suggests that not long after the
> creation of Mr. Inbar's and Mr. Antia's Massachusetts Athenix, Inc., ARIN
> elected to delegate responsibility for the reverse DNS for the 143.95.0.0/16
> IPv4 block to a pair of name servers called dns1.athenixinc.com and
> dns2.athenixinc.com. That delegation was already in place by 2010-06-24,
> which is about the time that Farsight Security Inc., my data source, first
> began passively collecting its historical archives of DNS response records.
>
> Historical records made available to me by Domaintools, LLC indicate that
> the athenixinc.com domain name was, at least initially, registered to Mr.
> Anita in Lincoln, Massachusetts.
>
> https://pastebin.com/raw/GNhbFDFz
>
> Subsequent historical WHOIS data collected by Domaintools in relation to
> the athenixinc.com domain name shows that after Mr. Anita, the domain name
> registration passed into the hands of at least one other individual, and
> eventually, to an entirely different corporate entity. We will come to
> that shortly.
>
> Almost a year ago now, when I was first investigating the 143.95.0.0/16
> block, I attempted to interview Mr. Inbar by phone regarding his and Mr.
> Anita's Athenix, Inc. and the unusual history of the 143.95.0.0/16 block.
> It did not go well. Mr. Inbar was apparently reluctant to engage with
> me by phone on these or any other topics. He and I did have a few brief
> and truncated email exchanges after that however, but apparently my
> questions regarding how Mr. Inbar and Mr. Anita came to exercise effective
> day-to-day control over the 143.95.0.0/16 ARIN legacy block were not ones
> that Mr. Inbar felt in any way obliged to answer, and at some point he
> simply ceased answering my emails.
>
> In contrast, Mr. Antia was a veritable fount of information and he and I
> had multiple phone conversations as well as multiple email exchanges. From
> these exchanges I quickly deduced that Mr. Antia saw absolutely nothing
> wrong with, much less anything at all to be shy about with respect to the
> history of the 143.95.0.0/16 block -or- his formation, along with Mr. Inbar,
> of a new Athenix, Inc. in Massachusetts back in in 2008. Quite the contrary!
> Mr. Anita was kind enough for forward me a copy of the following really
> rather remarkable lease agreement, in which Mr. Inbar and Mr. Anita together
> undertook to lease the 143.95.0.0/16 IPv4 block to a certain Nevada-
> incorporated and Colorado-resident limited liability company known as
> Media Breakaway, LLC:
>
> https://drive.google.com/file/d/1ASXrUsiNAIq1IIZO5Lw1BqjD1qucqFmI/view
>
> As you can see, the term of the lease is 20 years, beginning from the 28th
> day of May, 2008. The compensation to be paid to Mr. Inbar's and Mr. Anita's
> Massachusetts Athenic, Inc. in return for this 20 year leasehold was to be
> $100,000 USD As Mr. Anita related to me, this sum was in fact paid, and Mr.
> Inbar and Mr. Anita split it evenly. (But of course, I have no way to
> independently verify that.)
>
> For those unaware, I pause here just long enough to note that the CEO
> of Media Breakaway, LLC is none other than Mr. Scott Richter, one-time
> "Spam King" and a man who both Wikipedia and the KrebsOnSecurity blog
> have asserted is a convicted felon. And of couurse, this is the very same
> Scott Richter who figured so prominently in Brian Krebs' report about
> pilfered legacy ARIN /16 blocks, published on the Washington Post, way back
> in April, 2008.
>
> Of course, in my phone conversations with Mr. Anita, I acquainted him with
> these relevant historical allegations. He confessed at the time that he
> had not personally done much at all in the way of due diligence with respect
> to either Mr. Richter or his company -- a lapse which I personally found
> (and find) quite unfortunate, to say the least, and not least because of
> Mr. Anita's position as the President of the Boston Chapter of Infraguard,
> the public/private partnership whose mission is the protection of the
> nation's critical infrastructure assets from cyber-threats. I would have
> hoped that a person in such a position would have been in the general
> habit of exercising at least some due diligence with respect to the people
> he does business with and, in this specific instance, preferably at some
> moment *before* Mr. Anita cashed his $50,000 check.
>
>
> Act 3 - Final Dispensation
> --------------------------
>
> Now we come to the final remarkable chapter in the already remarkable
> history of the 143.95.0.0/16 legacy IPv4 ARIN address block.
>
> Some months after the formation of the Massachusetts "Athenix, Inc.", on
> Sepetember 2nd, 2008 a new corporate entity calling itself "Athenix
> Corporation" was incorporated in the State of California. Curiously, this
> third Athenix gave both its actual address and its mailing address as 10
> Corporate Drive, Burlington, MA 01813.
>
> https://drive.google.com/file/d/1GHhwuPGPKdx5n46cYQ2UhTGiMSdxonFu/view
> https://drive.google.com/file/d/1ZLtcY2HWoi5vmNFAJleHep8DxIS3igVR/view
>
> As it happens, that street address is also the headquarters address of the
> publicly-traded Endurance International Group, Inc. (EIGI).
>
> There is substantial evidence indicating that EIGI is effectively in complete
> functional control of the 143.95.0.0/16 address block at the present moment.
>
> The company's primary ASN, AS29873 and also, an AS number belonging to one
> of the company's many acquired subsidiaries, A Small Orange LLC, AS62729
> are each routing significant portions of the 143.95.0.0/16 block at the
> present time.
>
> https://bgp.he.net/AS29873#_prefixes
> https://bgp.he.net/AS62729#_prefixes
>
> Additionally, on or about 2017-05-22, EIGI became the registrant of the
> athenixinc.com domain, whose associated name servers (dns1 dns2) had
> provided revserse DNS service for the entire 143.95.0.0/16 block during
> 2011 and 2012. Delegation of the reverse DNS responsibility for the
> entire 143.95.0.0/16 block changed on or about 2013-11-28 so that the
> new name servers were ones associated with the domain name asonoc.com,
> at least according to the relevant historical data provided to me by
> Farsight Security, Inc.
>
> https://pastebin.com/raw/MVmzhirc
>
> Historically, and as recently as 2018-04-20, the domain name asonoc.com
> was and has been registered to the EIGI subsidiary A Small Orange LLC.
>
> https://pastebin.com/raw/Xy8UHZNw
>
> Responsibility for the reverse DNS for the entire 143.95.0.0/16 block
> remains delegated to the rdns1.asonoc.com and rdns2.asonoc.com name
> servers at the present moment.
>
> EIGI is primarily a web hosting company. It has, over time. exhibited a
> tendency to acquire other and smaller web hosting companies which it has
> then absorbed into and under its corporate unbrella. Unlike most other
> corporate acquirers however, EIGI is somewhat unique in its notable tendency
> to not rebrand its acqusitions so that they would be additive to its main
> corporate brand, generally electing instead to maintain the pre-acqusition
> brand names for its newly acquired web hosting businesses. One such EIGI-
> acquired propery that has retained its pre-acqusition brand name is the
> aforementioned Texas-based web hosting company called A Small Orange LLC,
> aka AS62729.
>
> (Those who may be interested in more backgound regarding EIGI and past
> controversies, specifically with relating to the company's accounting
> practices as well as the online activities of its clientele, are encouraged
> to consult the footnotes below.[2])
>
> The available evidence suggests the clear possibility that EIGI and its
> subsidiary, A Small Orange LLC. may be controling and using the 143.95.0.0/16
> block in a manner inconsistant with ordinary business rules of fair dealing
> and/or in a manner inconsistant with current ARIN policy, and further, that
> the company and/or its various C-suite officers may have arrived at this
> current situation not by happentance but rather by some very carefully
> considered premeditation.
>
> I mention specifically EIGI's C-suite officers, because the available
> evidence suggests that EIGI's apparent takeover of the 143.95.0.0/16
> block was not purely or only the product of some unsanctioned rogue
> activity on the part of lower-level company functionaries. Multiple
> publicly available records obtained from the web site of the California
> Secretary of State implicate multiple current and former EIGI C-suite
> officers as having been, at the very least, directly aware of the formation
> of the third "Athenix", even if perhaps not directly or personally
> responsible for that rather suspicious company formation.
>
> https://drive.google.com/file/d/12gm41jG9iFIC9KvIJmfWNjUqCmRtTfxN/view
> https://drive.google.com/file/d/1zdhru_hpYVIJfVKi-s5X1MW0znrErJzQ/view
> https://drive.google.com/file/d/1dVHDSPKD4Qvur9rzCK9YZDEtOkFA2raS/view
>
> Plese note that Mr. Hari Ravichandran is the now-former CEO of EIGI. Mr.
> David Bryson was and remains EIGI's Chief Legal Officer. Mr. Marc
> Montagner was and remains EIGI's Chief Financial Officer. Mr. Jeffrey Fox
> is EIGI's current CEO, having succeded Mr. Ravichandran in that post.
>
> https://www.endurance.com/our-company/our-team
>
> https://exechange.com/7850/endurance-ceo-hari-ravichandran-leaves-2/7850
> https://www.linkedin.com/in/hari-ravichandran-9b949b8
> https://jumpv.com/meet-the-team/
>
> https://www.linkedin.com/in/davidbryson
> https://www1.salary.com/David-C-Bryson-Salary-Bonus-Stock-Options-for-ENDURANCE-INTL-GRP-HLDGS-INC.html
>
> https://www.linkedin.com/in/marc-montagner-b112a1b1
> https://wallmine.com/people/6106/marc-montagner
>
> https://www.linkedin.com/in/jeff-fox-820a0413
> https://wallmine.com/people/2962/jeffrey-h-fox
>
> Given that EIGI's rights in and/or legal title to the 143.95.0.0/16 block
> appear to be, at best, on somewhat shaky ground, and given that the new
> 2008-vintage Athenix Corporation does not obviously possess any other
> obvious or apparent assets to speak of, it appears, to this writer at
> least, more than a little incongruous to see that EIGI apparently listed
> Athenix Corporation as a collateral asset on what, to a layman such as
> myself, appears to be a bank collateral statement which was filed, apparently
> in 2013, with the United States Securities and Exchange Comission.
>
> https://www.sec.gov/Archives/edgar/data/1237746/000119312514077774/d635170dex1025.htm
>
> All I can say about that is that I personally was turned down for a bank
> loan, some years ago, when I attempted to use the monthly -liability- of
> my recurring water bills as collateral for the loan. But then I have
> never been anywhere near as accomplished at high finance as any of the
> gentlemen mentioned above surely are.
>
>
> Responses
> ---------
>
> More than 24 hours prior to posting this message, I reached out to the press
> contact email address listed on EIGI's web site, press (at) endurance.com,
> for comment about the facts elaborated above. No response was received from
> the company by press time.
>
> Prior to posting, I also reached out to John Curran @ ARIN for his response
> to the facts set forth above. John was kind enough to provide the following
> official on-the-record ARIN response:
>
> ARIN does not comment on specific registry changes (as number resource
> change requests are made in confidence), but we do take matters of
> potential number resource fraud quite seriously. I would recommend that
> you report potential incidents of registry fraud (if you have not done
> so already) via our Internet Number Resource Fraud Reporting process at
> https://www.arin.net/resources/fraud/, and we will promptly investigate.
> – John Curran, CEO, ARIN
>
> +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
>
> FULL DISCLOSURE: I hold no postions, either short or long in EIGI or in
> any related company.
>
> +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
>
> Acknowledgements
> ----------------
>
> My thanks to Farsight Security, Inc. and to Domaintools, LLC for their
> kind support of this research.
>
>
> Footnotes:
> =======================================================================
> [1] Rather remarkably, the Massachusetts Athenix, Inc. was incorporated
> a mere six days before my friend, journalist Brian Krebs, put up a story
> on the Washington Post web site, detailing how a pair of legacy ARIN IPv4
> /16 blocks had somewhat inexplicably ended up in the hands of one of the
> world's most notorious spammers, Scott Richter. That story, as some of you
> will already know, alleged that a rather simple and yet elaborate fraud had
> been perpetrated against ARIN, a fraud which amounted to nothing less than
> corporate identity theft, with the one and only apparent goal being the
> effective take-over of two quite valuable legacy ARIN IPv4 /16 blocks, a
> goal which was, it appeared, successfully achieved with only a relatively
> minor investment of effort and expense.
>
> [2] In recent years, all has not gone well for EIGI. In the year 2015, a
> somewhat mysterious New York City short seller using the pen name Gotham
> City Research published a sequence of four reports detailing his beliefs
> that all was not as it should be at EIGI, both with respect to the company's
> financial statements and with respect to its clientele and their (allegedly)
> questionable online activities.
>
> 2015-04-28 - Endurance International Group - A Web of Deceit
> https://bit.ly/2KZXPLA
>
> 2015-04-29 - Initial Follow-up To: A Web of Deceit
> https://bit.ly/2L5Vv4o
>
> 2015-05-05 - EIGI’s Adjusted EBITDA is a Meaningless Metric
> https://bit.ly/342x4xE
>
> 2015-08-03 - Endurance International Group: Malicious Activities
> https://bit.ly/30Gk4vr
>
> The value of EIGI stock dropped rather precepitously following the publication
> of the Gotham City Research reports and has yet to recover to its earlier
> highs.
>
> https://drive.google.com/file/d/1BaGzFglnrbAca9DsRIqt2eD0m_jnrCMw/view
>
> The SEC's investigation of EIGI, and the SEC's subsequent enforcement actions
> against the company and its officers in 2018 also didn't help matters much
> with respect to EIGI and its stock price:
>
> https://www.sec.gov/enforce/33-10504-s
> https://www.bizjournals.com/boston/news/2018/08/22/former-endurance-group-execs-pay-1-4m-to-settle.html
>
The Curious Case of 143.95.0.0/16 [ In reply to ]
Mel Beckman mel at beckman.org wrote:

>I have one question, “of late”, regarding your post: Is it “Antia” or “Anita”?

Yes. Sorry. There were multiple small typos in what I posted. Not
surprising, since I am an utterly awful typist.

The link I gave in my post provides enough redundant context to work out
the correct answer in this case:

https://infragard-boston.org/

The gentleman's name is Robert ("Bob") Antia.

Unrelated to that small faux pas on my part, I also would just like to
mention that I have only just now been pointed at an additional relevant
online document that provides more clarity as regards to who, or what,
ended up owning the original Athenix's intangible assets following its
demise.

https://patents.google.com/patent/US5119494

In the case of this patent, ownership seem to have untimately been assigned
to:

JACKSON, DAVID
HOOK PARTNERS II C/O DAVID J. HOOK
KLEINER PERKINS CAUFIELD & BYERS V C/O JAMES LALLY
COMDISCO, INC.
INSTITUTIONAL VENTURE MANAGEMENT V C/O PETER THOMAS
GARROW, ROBERT A.
INSTITUTIONAL VENTURE PARTNERS FUND V C/O PETER THOMAS
SINGAPORE ECONOMIC DEVELOPMENT BOARD
PACVEN INVESTMENT, LTD. C/O LIP-BU TAN

Obviously, this is a more complete list of Athenix's heirs and assigns than
I had included in my earlier post.


Regards,
rfg
RE: The Curious Case of 143.95.0.0/16 [ In reply to ]
Very interesting story great work Ronald


-----Original Message-----
From: NANOG <nanog-bounces@nanog.org> On Behalf Of Ronald F. Guilmette
Sent: Wednesday, August 28, 2019 2:27 AM
To: nanog@nanog.org
Subject: The Curious Case of 143.95.0.0/16

Fair Warning: Those of you not enamored of my long-winded exposés of various remarkable oddities of the IPv4 address space may wish to click on the tiny little wastebasket icons on your mail clients at this point. For the rest of you, please read on. I think you may find the following story intriguing. It contains at least a few surprising twists.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_


Our story today consists of three acts.


Act 1 - It is Born
------------------

In mid-February of 1990 a new venture-capital backed company was formed in Sunnyvale, California. In some ways it was no different than the hundreds or thousands of hopeful high-tech startups that had been formed in Silicon Valley, both before and since. It started with a hopeful dream that, in the end, just didn't work out.

The founders of this company settled initially on a temporary placeholder company name, XYZ Corporation:

https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view

The mission of the company was to design and manufacture so-called X-Windows terminals. These would be diskless workstations, complete with CPUs, color
(CRT) displays, graphics, memory, and an ethernet interface. The basic idea what that such a diskless workstation could run the free X-Windows client software, and that the system would be cheaper than ordinary PeeCees due to it not having any hard drives or optical drives.

By some odd twist of fate, I myself was working in the same geographic area as a software engineer at around the same time, but I worked for a different Silicon Valley startup, just down the road from XYZ Corporation. And by a rather remarkable coincidence, the company I worked for had exactly the same goal and mission as the XYZ Corporation. The name of this other X-Windows workstation startup was Network Computing Devices, or just "NCD"
for short.

Quite obviously, both companies were inherently "network-centric" and thus, both requested and were granted blocks of IPv4 addresses. That wasn't at all within my area of responsibility at NCD, so I don't know who actually issued those blocks. My guess, based on published historical accounts, was that it was most probably Dr. Jon Postel who assigned the blocks. I'm sure that someone will correct me if I'm wrong.

Months passed, and eventually the founders of XYZ Corporation settled on something they would use as a permanent replacement for their temporary placeholder corporate name. They decided to call the thing Athenix, Inc.
Once they had settled on that name, they filed papers to update their records with the California Secretary of State's office:

https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view

At some point, they also and likewise updated the ARIN WHOIS record for the
/16 block which had been assigned to them, on or about 1990-09-06, as was appropriate to reflect their new permanent corporate identity:

https://pastebin.com/raw/YbH6zYrR

More time passed and eventually it became clear that the entire world was not in fact breathlessly waiting for -two- companies to bring to market diskless X-Windows workstations. In fact, as history now shows, market demand would not support even one such company over the long term.

Thus it came to pass in the year 1993 that an all-too-familiar end-of-life ritual played out once again in Silicon Valley. At Athenix, Inc. HQ in Sunnyvale, the people were all let go, including the founders. The desks, the chairs, the phones, the computers, and the tools were all sold at auction, with the proceeds going to the preferred shareholders, i.e. the poor fools who had put up all of the money for this now-failed venture in the first place, the venture capitalists. Foremost among those in this instance, was the venerable Menlo Park venture capital firm Kleiner Perkins.

I've confirmed this historical account of the rise and fall of the original 1990-vintage Athenix, Inc. in multiple phone and email exchanges with both the original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately of Los Altos, California, and also the original CTO of the company, Mr. John Garman, lately of Reno, Nevada.


Act 2 - Rebirth - The Athenix Phoenix
-------------------------------------

Fast forward fifteen years. On April 22, 2008 a pair of gentlemen in the Commonwealth of Massachusetts elected to establish a new corporate entity within the commonwealth. It's name would be Athenic, Inc.[1]

https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view

As you can see in the documents above, a certain Mr. Ofer Inbar and a certain Mr. Robert Anita, both of the greater Boston area, formed this new corporate entity in Massachusetts. At its formation, the younger Mr. Inbar was the President, while the more senior Mr. Antia served as the corporate secretary and treasurer.

Various other records, which I shall not include here, suggest that both Mr.
Inbar and Mr. Anita were at some point in the distant past affiliated, in at least some tangential way, with the well-regarded white-hat Boston area hacking collective known as L0pht, aka L0pht Heavy Industries. I cannot say much about this apparent connection, other than to say that the details I have ferreted out about this connection are sketchy at best.

I do however have it on reasonably good authority that Mr. Inbar has of late relocated to the greater Seattle metropolitan area, and that he is or was working as a network administrator for Google, Inc. in that area. Mr. Antia, in contrast, is still, when I last checked, a resident of the greater Boston area, and is a well regarded "graybeard" in the computing community in and around Boston, having been in the business, one way or another, for decades.
Mr. Anita currently serves as President of the Boston area chapter of the public/private critical infrastructure cybersecurity defense partnership known as InfraGuard.

https://infragard-boston.org/

The evidence currently available to me suggests that not long after the creation of Mr. Inbar's and Mr. Antia's Massachusetts Athenix, Inc., ARIN elected to delegate responsibility for the reverse DNS for the 143.95.0.0/16
IPv4 block to a pair of name servers called dns1.athenixinc.com and dns2.athenixinc.com. That delegation was already in place by 2010-06-24, which is about the time that Farsight Security Inc., my data source, first began passively collecting its historical archives of DNS response records.

Historical records made available to me by Domaintools, LLC indicate that the athenixinc.com domain name was, at least initially, registered to Mr.
Anita in Lincoln, Massachusetts.

https://pastebin.com/raw/GNhbFDFz

Subsequent historical WHOIS data collected by Domaintools in relation to the athenixinc.com domain name shows that after Mr. Anita, the domain name registration passed into the hands of at least one other individual, and eventually, to an entirely different corporate entity. We will come to that shortly.

Almost a year ago now, when I was first investigating the 143.95.0.0/16 block, I attempted to interview Mr. Inbar by phone regarding his and Mr.
Anita's Athenix, Inc. and the unusual history of the 143.95.0.0/16 block.
It did not go well. Mr. Inbar was apparently reluctant to engage with me by phone on these or any other topics. He and I did have a few brief and truncated email exchanges after that however, but apparently my questions regarding how Mr. Inbar and Mr. Anita came to exercise effective day-to-day control over the 143.95.0.0/16 ARIN legacy block were not ones that Mr. Inbar felt in any way obliged to answer, and at some point he simply ceased answering my emails.

In contrast, Mr. Antia was a veritable fount of information and he and I had multiple phone conversations as well as multiple email exchanges. From these exchanges I quickly deduced that Mr. Antia saw absolutely nothing wrong with, much less anything at all to be shy about with respect to the history of the 143.95.0.0/16 block -or- his formation, along with Mr. Inbar, of a new Athenix, Inc. in Massachusetts back in in 2008. Quite the contrary!
Mr. Anita was kind enough for forward me a copy of the following really rather remarkable lease agreement, in which Mr. Inbar and Mr. Anita together undertook to lease the 143.95.0.0/16 IPv4 block to a certain Nevada- incorporated and Colorado-resident limited liability company known as Media Breakaway, LLC:

https://drive.google.com/file/d/1ASXrUsiNAIq1IIZO5Lw1BqjD1qucqFmI/view

As you can see, the term of the lease is 20 years, beginning from the 28th day of May, 2008. The compensation to be paid to Mr. Inbar's and Mr. Anita's Massachusetts Athenic, Inc. in return for this 20 year leasehold was to be
$100,000 USD As Mr. Anita related to me, this sum was in fact paid, and Mr.
Inbar and Mr. Anita split it evenly. (But of course, I have no way to independently verify that.)

For those unaware, I pause here just long enough to note that the CEO of Media Breakaway, LLC is none other than Mr. Scott Richter, one-time "Spam King" and a man who both Wikipedia and the KrebsOnSecurity blog have asserted is a convicted felon. And of couurse, this is the very same Scott Richter who figured so prominently in Brian Krebs' report about pilfered legacy ARIN /16 blocks, published on the Washington Post, way back in April, 2008.

Of course, in my phone conversations with Mr. Anita, I acquainted him with these relevant historical allegations. He confessed at the time that he had not personally done much at all in the way of due diligence with respect to either Mr. Richter or his company -- a lapse which I personally found (and find) quite unfortunate, to say the least, and not least because of Mr. Anita's position as the President of the Boston Chapter of Infraguard, the public/private partnership whose mission is the protection of the nation's critical infrastructure assets from cyber-threats. I would have hoped that a person in such a position would have been in the general habit of exercising at least some due diligence with respect to the people he does business with and, in this specific instance, preferably at some moment *before* Mr. Anita cashed his $50,000 check.


Act 3 - Final Dispensation
--------------------------

Now we come to the final remarkable chapter in the already remarkable history of the 143.95.0.0/16 legacy IPv4 ARIN address block.

Some months after the formation of the Massachusetts "Athenix, Inc.", on Sepetember 2nd, 2008 a new corporate entity calling itself "Athenix Corporation" was incorporated in the State of California. Curiously, this third Athenix gave both its actual address and its mailing address as 10 Corporate Drive, Burlington, MA 01813.

https://drive.google.com/file/d/1GHhwuPGPKdx5n46cYQ2UhTGiMSdxonFu/view
https://drive.google.com/file/d/1ZLtcY2HWoi5vmNFAJleHep8DxIS3igVR/view

As it happens, that street address is also the headquarters address of the publicly-traded Endurance International Group, Inc. (EIGI).

There is substantial evidence indicating that EIGI is effectively in complete functional control of the 143.95.0.0/16 address block at the present moment.

The company's primary ASN, AS29873 and also, an AS number belonging to one of the company's many acquired subsidiaries, A Small Orange LLC, AS62729 are each routing significant portions of the 143.95.0.0/16 block at the present time.

https://bgp.he.net/AS29873#_prefixes
https://bgp.he.net/AS62729#_prefixes

Additionally, on or about 2017-05-22, EIGI became the registrant of the athenixinc.com domain, whose associated name servers (dns1 dns2) had provided revserse DNS service for the entire 143.95.0.0/16 block during
2011 and 2012. Delegation of the reverse DNS responsibility for the entire 143.95.0.0/16 block changed on or about 2013-11-28 so that the new name servers were ones associated with the domain name asonoc.com, at least according to the relevant historical data provided to me by Farsight Security, Inc.

https://pastebin.com/raw/MVmzhirc

Historically, and as recently as 2018-04-20, the domain name asonoc.com was and has been registered to the EIGI subsidiary A Small Orange LLC.

https://pastebin.com/raw/Xy8UHZNw

Responsibility for the reverse DNS for the entire 143.95.0.0/16 block remains delegated to the rdns1.asonoc.com and rdns2.asonoc.com name servers at the present moment.

EIGI is primarily a web hosting company. It has, over time. exhibited a tendency to acquire other and smaller web hosting companies which it has then absorbed into and under its corporate unbrella. Unlike most other corporate acquirers however, EIGI is somewhat unique in its notable tendency to not rebrand its acqusitions so that they would be additive to its main corporate brand, generally electing instead to maintain the pre-acqusition brand names for its newly acquired web hosting businesses. One such EIGI- acquired propery that has retained its pre-acqusition brand name is the aforementioned Texas-based web hosting company called A Small Orange LLC, aka AS62729.

(Those who may be interested in more backgound regarding EIGI and past controversies, specifically with relating to the company's accounting practices as well as the online activities of its clientele, are encouraged to consult the footnotes below.[2])

The available evidence suggests the clear possibility that EIGI and its subsidiary, A Small Orange LLC. may be controling and using the 143.95.0.0/16 block in a manner inconsistant with ordinary business rules of fair dealing and/or in a manner inconsistant with current ARIN policy, and further, that the company and/or its various C-suite officers may have arrived at this current situation not by happentance but rather by some very carefully considered premeditation.

I mention specifically EIGI's C-suite officers, because the available evidence suggests that EIGI's apparent takeover of the 143.95.0.0/16 block was not purely or only the product of some unsanctioned rogue activity on the part of lower-level company functionaries. Multiple publicly available records obtained from the web site of the California Secretary of State implicate multiple current and former EIGI C-suite officers as having been, at the very least, directly aware of the formation of the third "Athenix", even if perhaps not directly or personally responsible for that rather suspicious company formation.

https://drive.google.com/file/d/12gm41jG9iFIC9KvIJmfWNjUqCmRtTfxN/view
https://drive.google.com/file/d/1zdhru_hpYVIJfVKi-s5X1MW0znrErJzQ/view
https://drive.google.com/file/d/1dVHDSPKD4Qvur9rzCK9YZDEtOkFA2raS/view

Plese note that Mr. Hari Ravichandran is the now-former CEO of EIGI. Mr.
David Bryson was and remains EIGI's Chief Legal Officer. Mr. Marc Montagner was and remains EIGI's Chief Financial Officer. Mr. Jeffrey Fox is EIGI's current CEO, having succeded Mr. Ravichandran in that post.

https://www.endurance.com/our-company/our-team

https://exechange.com/7850/endurance-ceo-hari-ravichandran-leaves-2/7850
https://www.linkedin.com/in/hari-ravichandran-9b949b8
https://jumpv.com/meet-the-team/

https://www.linkedin.com/in/davidbryson
https://www1.salary.com/David-C-Bryson-Salary-Bonus-Stock-Options-for-ENDURANCE-INTL-GRP-HLDGS-INC.html

https://www.linkedin.com/in/marc-montagner-b112a1b1
https://wallmine.com/people/6106/marc-montagner

https://www.linkedin.com/in/jeff-fox-820a0413
https://wallmine.com/people/2962/jeffrey-h-fox

Given that EIGI's rights in and/or legal title to the 143.95.0.0/16 block appear to be, at best, on somewhat shaky ground, and given that the new 2008-vintage Athenix Corporation does not obviously possess any other obvious or apparent assets to speak of, it appears, to this writer at least, more than a little incongruous to see that EIGI apparently listed Athenix Corporation as a collateral asset on what, to a layman such as myself, appears to be a bank collateral statement which was filed, apparently in 2013, with the United States Securities and Exchange Comission.

https://www.sec.gov/Archives/edgar/data/1237746/000119312514077774/d635170dex1025.htm

All I can say about that is that I personally was turned down for a bank loan, some years ago, when I attempted to use the monthly -liability- of my recurring water bills as collateral for the loan. But then I have never been anywhere near as accomplished at high finance as any of the gentlemen mentioned above surely are.


Responses
---------

More than 24 hours prior to posting this message, I reached out to the press contact email address listed on EIGI's web site, press (at) endurance.com, for comment about the facts elaborated above. No response was received from the company by press time.

Prior to posting, I also reached out to John Curran @ ARIN for his response to the facts set forth above. John was kind enough to provide the following official on-the-record ARIN response:

ARIN does not comment on specific registry changes (as number resource
change requests are made in confidence), but we do take matters of
potential number resource fraud quite seriously. I would recommend that
you report potential incidents of registry fraud (if you have not done
so already) via our Internet Number Resource Fraud Reporting process at
https://www.arin.net/resources/fraud/, and we will promptly investigate.
– John Curran, CEO, ARIN

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_

FULL DISCLOSURE: I hold no postions, either short or long in EIGI or in any related company.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_

Acknowledgements
----------------

My thanks to Farsight Security, Inc. and to Domaintools, LLC for their kind support of this research.


Footnotes:
=======================================================================
[1] Rather remarkably, the Massachusetts Athenix, Inc. was incorporated a mere six days before my friend, journalist Brian Krebs, put up a story on the Washington Post web site, detailing how a pair of legacy ARIN IPv4
/16 blocks had somewhat inexplicably ended up in the hands of one of the world's most notorious spammers, Scott Richter. That story, as some of you will already know, alleged that a rather simple and yet elaborate fraud had been perpetrated against ARIN, a fraud which amounted to nothing less than corporate identity theft, with the one and only apparent goal being the effective take-over of two quite valuable legacy ARIN IPv4 /16 blocks, a goal which was, it appeared, successfully achieved with only a relatively minor investment of effort and expense.

[2] In recent years, all has not gone well for EIGI. In the year 2015, a somewhat mysterious New York City short seller using the pen name Gotham City Research published a sequence of four reports detailing his beliefs that all was not as it should be at EIGI, both with respect to the company's financial statements and with respect to its clientele and their (allegedly) questionable online activities.

2015-04-28 - Endurance International Group - A Web of Deceit
https://bit.ly/2KZXPLA

2015-04-29 - Initial Follow-up To: A Web of Deceit
https://bit.ly/2L5Vv4o

2015-05-05 - EIGI’s Adjusted EBITDA is a Meaningless Metric
https://bit.ly/342x4xE

2015-08-03 - Endurance International Group: Malicious Activities
https://bit.ly/30Gk4vr

The value of EIGI stock dropped rather precepitously following the publication of the Gotham City Research reports and has yet to recover to its earlier highs.

https://drive.google.com/file/d/1BaGzFglnrbAca9DsRIqt2eD0m_jnrCMw/view

The SEC's investigation of EIGI, and the SEC's subsequent enforcement actions against the company and its officers in 2018 also didn't help matters much with respect to EIGI and its stock price:

https://www.sec.gov/enforce/33-10504-s
https://www.bizjournals.com/boston/news/2018/08/22/former-endurance-group-execs-pay-1-4m-to-settle.html