Mailing List Archive

Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?
Few of you here probably know about this, but nearly a week ago now
an article appeared in South Africa's largest and most popular online
tech publication, MyBroadband.co.za. It detailed many, but certainly not
all of the results of my multi-month investigation of a massive and
ongoing fraud involving the theft of large numbers of large (generally
/16 or larger) abandoned legacy blocks, taken from the AFRINIC region
and beyond:

https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

For various editorial reasons, the article that was published actually
downplayed the magnitude of the of the thefts quite dramatically. The
totality of the IPv4 space that has been stolen or squatted, primarily
but not exclusively, from South African companies and South African national
goverment agencies and departments is actually at least 5x bigger than what
was reported in the MyBroadband.co.za article.

The overwhelming majority of this stolen and squatted IPv4 space has
been helpfully routed by Cogent (AS174), to their customer, FDCServers
of Chicago, and then on to the prefered destinations of a certain Mr.
Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
saved traceroutes up the wazoo that prove the involvement of FDCServers,
in particular, in all of this.)

Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
activities, basically grabbing everything that wasn't nailed down, both
within the AFRINIC region and also within the APNIC region.

In order to try to legitimize all of these thefts and squats, Mr. Cohen
created quite a sizable number of fradulent route: objects within the
Merit/RADB data base which, as most here should already know, has
essentially zero authentication of any kind before it allows J. Random
Luser to add pretty much any any route: object he wants to the RADB.

Here's a full listing of all of Mr. Cohen's RADB route: objects as they
existed as recently as August 17th:

https://pastebin.com/raw/ZNgNuvtt

And here is the short summary version showing just all of the prefixes/CIDRs
that Mr. Cohen was effectively claiming rights and/or title to as of that
same date:

https://pastebin.com/raw/4LTaCg5R

Plese do note the numerous blocks of size /16 or greater.

The bottom line is that this one tiny little Israeli company was effectively
claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
August 17th, 2019. (Not too shabby for one lone guy who teaches programming
classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
and generally consists of blocks having sizes of /16 or larger.

Some of Mr. Cohen claims in his RADB entries are as humorous as they
are pathetically fradulent. For example, Mr. Cohen has effectively
claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
Authority of the City of Melbourne, Australia. But hell! That's merely
city property! Mr. Cohen's limitless appetite for other people's IPv4
space is more vividly on display in his claims to ownerhip over the
168.198.0.0/16 block, which actually belongs to the Department of Finance
of the Australian national government. And I haven't even mentioned yet
another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
which he did not see fit to create an RADB entry for, but which he's
been squatting on for for quite some time now, quite clearly with the
aid and assistance of both Cogent and FDCServers. That one belongs to
th City of Cape Town, South Africa. That city's engineers have been
struggling to regain control of their block back from Cogent, from
FDCServers, and from Mr. Cohen for some time now. I know because I've
personally spoken to them about it. Cogent, in its infinite wisdom, is
continuing to fight the city for control over property that clearly and
righfully belongs to the City of Cape Town, even as we speak:

https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view

When asked for LOAs attesting to his legitimate authority to route at
least a few of these blocks, Mr. Cohen has produced blatantly forged
documents, many of which appeared in the MyBroadband.co.za story. And
when I say "blatant" that's a gross understatement. Any half-way decent
forger would consider these documents an embarrasment. The documents all
bear identical signatures, and identical and vaguely official looking
stamps, and purport to actually be sales reciepts attesting to the
alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
company called Afrivestment, Ltd., which may actually exist in some
faraway galaxy, or in Mr. Cohen's active imagination, but which both
Google and OpenCorporates.com seem to agree exists exactly noplace on
this planet. Here are the manufactured LOAs supplied by Mr. Cohen:

https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view

Recently, Cohen started to move some, but not all, of his stolen and squatted
IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
coincidently, just happen to be owned by the exact same pair of Dutch
gentlemen who previously owned the notorious Ecatel, follwed by the notorious
Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
all of its legitimately assigned IP space from its predecessor entities,
Ecatel and Quasi Networks.)

Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
are still helpfully being routed to Mr. Cohen's preferred desitnations by
his good friends at Cogent and FDCServers, even as we speak. The current
set of such routes that Cogent is maintaining, at the moment, apparently on
behalf of their customer, Mr. Cohen, consists of the prefixes listed here:

https://pastebin.com/raw/EA3xJVLF

When I noticed two days ago that all of these routes were still up I was
deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
they not know yet that Cohen is stealing stuff, left, right, and sideways?
Did nobody even tell them about the MyBroadband.co.za article which was
published this past Sunday? I decided that it was incumbant upon me to
find out.

Thus, more that 48 hours ago now I sent the following polite but firm
inquiry to Cogent, and a separate nearly identical one directly to the
CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).

https://pastebin.com/raw/ztipqE96

A full forty eight hours later, I have received no reply whatsoever from
either Cogent or FDCServers, not even a "Go pound sand" type of response.

More importantly, most of the stolen IPv4 space that I called out, very
specifically, to both Cogent and FDCservers two+ days ago now is still
being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
still do not know now that Mr. Cohen is a crook, and that he has glommed
onto quite a lot of stolen and squatted IPv4 space... which they have
been helpfully routing for him, no doubt in exchange for some handsome
payments... then I am foreced to say that it appears to be a reasonable
conclusion that it must be because neither Cogent nor FDCServers really
wants to know what sort of a character Cohen is, or what he has been up
to, specifically with their ongoing and material assistance.

But you all be the judges. What does it look like to you?


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
A quick check of one of your facts produces unexpected results, so you might want to perform more research. According the APNIC, 139.44.0.0/16 does not “belong unambiguously to the Port Authority of Melbourne”. It belongs to an individual, with an office address at a building called “Port Authority of Melbourne”:

person: Rob Shute

address: Port of Melbourne Authority
Level 47 South
525 Collins St

country: AU
phone: +61 3 9628 7613
e-mail: djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>
nic-hdl: RS54-AP
remarks: ----------
remarks: imported from ARIN object:
remarks:
remarks: poc-handle: RS546-ARIN
remarks: is-role: N
remarks: last-name: Shute
remarks: first-name: Rob
remarks: street: Port of Melbourne Authority
Level 47 South
525 Collins St
remarks: country: AU
remarks: mailbox: djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>
remarks: bus-phone: +61 3 9628 7613
remarks: reg-date: 1970-01-01
remarks: changed: hostmaster@arin.poc<mailto:hostmaster@arin.poc> 20001127
remarks: source: ARIN
remarks:
remarks: ----------
notify: djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>
mnt-by: MNT-ERX-PRTMELAUTH-NON-AU<https://wq.apnic.net/static/search.html?query=MNT-ERX-PRTMELAUTH-NON-AU>
last-modified: 2008-09-04T07:31:33Z
source: APNIC

The building called the Port Authority of Melbourne is not, by all accounts, a government agency. It’s just the name of a 54-story office building, like the World Trade Center in NYC. In fact, World Trade Centre (Melbourne) is another name for the building, and although it houses the Port of Melbourne Authority agency (on Level 4, not Level 47), it appears to be largely just a toney address for business offices. Some, perhaps, not unlike American “Mail Boxes Etc” (although I haven’t confirmed this). But the following Wikipedia excerpt says this unambiguously:

The building currently houses some offices of the headquarters of Victoria Police, and the Victoria Police Museum , a collection of exhibits and memorabilia from over 150 years of policing in Victoria.[3] It also houses offices for companies, including Thales Australia.

https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority

Now, I’m not an Ossie, and in fact have never been down under, but it seems likely that the address in the registration is akin to a US business having a World Trade Center address in NYC. It means nothing as far as APNIC asset ownership is concerned. It’s just an address.

I could be wrong. However, it seems a simple fact to verify by calling management at that building. I tried sending email to the registered “.gov.au<http://gov.au>” address:

djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>

But the domain does not exist.

-mel beckman

On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg@tristatelogic.com<mailto:rfg@tristatelogic.com>> wrote:

Few of you here probably know about this, but nearly a week ago now
an article appeared in South Africa's largest and most popular online
tech publication, MyBroadband.co.za<http://MyBroadband.co.za>. It detailed many, but certainly not
all of the results of my multi-month investigation of a massive and
ongoing fraud involving the theft of large numbers of large (generally
/16 or larger) abandoned legacy blocks, taken from the AFRINIC region
and beyond:

https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

For various editorial reasons, the article that was published actually
downplayed the magnitude of the of the thefts quite dramatically. The
totality of the IPv4 space that has been stolen or squatted, primarily
but not exclusively, from South African companies and South African national
goverment agencies and departments is actually at least 5x bigger than what
was reported in the MyBroadband.co.za<http://MyBroadband.co.za> article.

The overwhelming majority of this stolen and squatted IPv4 space has
been helpfully routed by Cogent (AS174), to their customer, FDCServers
of Chicago, and then on to the prefered destinations of a certain Mr.
Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
saved traceroutes up the wazoo that prove the involvement of FDCServers,
in particular, in all of this.)

Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
activities, basically grabbing everything that wasn't nailed down, both
within the AFRINIC region and also within the APNIC region.

In order to try to legitimize all of these thefts and squats, Mr. Cohen
created quite a sizable number of fradulent route: objects within the
Merit/RADB data base which, as most here should already know, has
essentially zero authentication of any kind before it allows J. Random
Luser to add pretty much any any route: object he wants to the RADB.

Here's a full listing of all of Mr. Cohen's RADB route: objects as they
existed as recently as August 17th:

https://pastebin.com/raw/ZNgNuvtt

And here is the short summary version showing just all of the prefixes/CIDRs
that Mr. Cohen was effectively claiming rights and/or title to as of that
same date:

https://pastebin.com/raw/4LTaCg5R

Plese do note the numerous blocks of size /16 or greater.

The bottom line is that this one tiny little Israeli company was effectively
claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
August 17th, 2019. (Not too shabby for one lone guy who teaches programming
classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
and generally consists of blocks having sizes of /16 or larger.

Some of Mr. Cohen claims in his RADB entries are as humorous as they
are pathetically fradulent. For example, Mr. Cohen has effectively
claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
Authority of the City of Melbourne, Australia. But hell! That's merely
city property! Mr. Cohen's limitless appetite for other people's IPv4
space is more vividly on display in his claims to ownerhip over the
168.198.0.0/16 block, which actually belongs to the Department of Finance
of the Australian national government. And I haven't even mentioned yet
another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
which he did not see fit to create an RADB entry for, but which he's
been squatting on for for quite some time now, quite clearly with the
aid and assistance of both Cogent and FDCServers. That one belongs to
th City of Cape Town, South Africa. That city's engineers have been
struggling to regain control of their block back from Cogent, from
FDCServers, and from Mr. Cohen for some time now. I know because I've
personally spoken to them about it. Cogent, in its infinite wisdom, is
continuing to fight the city for control over property that clearly and
righfully belongs to the City of Cape Town, even as we speak:

https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view

When asked for LOAs attesting to his legitimate authority to route at
least a few of these blocks, Mr. Cohen has produced blatantly forged
documents, many of which appeared in the MyBroadband.co.za<http://MyBroadband.co.za> story. And
when I say "blatant" that's a gross understatement. Any half-way decent
forger would consider these documents an embarrasment. The documents all
bear identical signatures, and identical and vaguely official looking
stamps, and purport to actually be sales reciepts attesting to the
alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
company called Afrivestment, Ltd., which may actually exist in some
faraway galaxy, or in Mr. Cohen's active imagination, but which both
Google and OpenCorporates.com<http://OpenCorporates.com> seem to agree exists exactly noplace on
this planet. Here are the manufactured LOAs supplied by Mr. Cohen:

https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view

Recently, Cohen started to move some, but not all, of his stolen and squatted
IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
coincidently, just happen to be owned by the exact same pair of Dutch
gentlemen who previously owned the notorious Ecatel, follwed by the notorious
Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
all of its legitimately assigned IP space from its predecessor entities,
Ecatel and Quasi Networks.)

Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
are still helpfully being routed to Mr. Cohen's preferred desitnations by
his good friends at Cogent and FDCServers, even as we speak. The current
set of such routes that Cogent is maintaining, at the moment, apparently on
behalf of their customer, Mr. Cohen, consists of the prefixes listed here:

https://pastebin.com/raw/EA3xJVLF

When I noticed two days ago that all of these routes were still up I was
deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
they not know yet that Cohen is stealing stuff, left, right, and sideways?
Did nobody even tell them about the MyBroadband.co.za<http://MyBroadband.co.za> article which was
published this past Sunday? I decided that it was incumbant upon me to
find out.

Thus, more that 48 hours ago now I sent the following polite but firm
inquiry to Cogent, and a separate nearly identical one directly to the
CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net<http://fdcservers.net>).

https://pastebin.com/raw/ztipqE96

A full forty eight hours later, I have received no reply whatsoever from
either Cogent or FDCServers, not even a "Go pound sand" type of response.

More importantly, most of the stolen IPv4 space that I called out, very
specifically, to both Cogent and FDCservers two+ days ago now is still
being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
still do not know now that Mr. Cohen is a crook, and that he has glommed
onto quite a lot of stolen and squatted IPv4 space... which they have
been helpfully routing for him, no doubt in exchange for some handsome
payments... then I am foreced to say that it appears to be a reasonable
conclusion that it must be because neither Cogent nor FDCServers really
wants to know what sort of a character Cohen is, or what he has been up
to, specifically with their ongoing and material assistance.

But you all be the judges. What does it look like to you?


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Sorry, re-sending to include the list.

Looking at the history of the prefix, it does look like it did belong to the now-defunct Port of Melbourne Authority, with the matching e-mail address. That particular organization, however, no longer exists, having been absorbed into the Port of Melbourne Corporation, which is a proper statutory organization in Australia.

A quick MX lookup does show that pma.vic.gov.au<http://pma.vic.gov.au/> does not have any functioning mail servers on it however, and likely hasn’t been for some time (given it was absorbed in 2003).

On Sep 6, 2019, at 21:26, Mel Beckman <mel@beckman.org> wrote:

?
A quick check of one of your facts produces unexpected results, so you might want to perform more research. According the APNIC, 139.44.0.0/16 does not “belong unambiguously to the Port Authority of Melbourne”. It belongs to an individual, with an office address at a building called “Port Authority of Melbourne”:

person: Rob Shute

address: Port of Melbourne Authority
Level 47 South
525 Collins St

country: AU
phone: +61 3 9628 7613
e-mail: djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>
nic-hdl: RS54-AP
remarks: ----------
remarks: imported from ARIN object:
remarks:
remarks: poc-handle: RS546-ARIN
remarks: is-role: N
remarks: last-name: Shute
remarks: first-name: Rob
remarks: street: Port of Melbourne Authority
Level 47 South
525 Collins St
remarks: country: AU
remarks: mailbox: djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>
remarks: bus-phone: +61 3 9628 7613
remarks: reg-date: 1970-01-01
remarks: changed: hostmaster@arin.poc<mailto:hostmaster@arin.poc> 20001127
remarks: source: ARIN
remarks:
remarks: ----------
notify: djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>
mnt-by: MNT-ERX-PRTMELAUTH-NON-AU<https://wq.apnic.net/static/search.html?query=MNT-ERX-PRTMELAUTH-NON-AU>
last-modified: 2008-09-04T07:31:33Z
source: APNIC

The building called the Port Authority of Melbourne is not, by all accounts, a government agency. It’s just the name of a 54-story office building, like the World Trade Center in NYC. In fact, World Trade Centre (Melbourne) is another name for the building, and although it houses the Port of Melbourne Authority agency (on Level 4, not Level 47), it appears to be largely just a toney address for business offices. Some, perhaps, not unlike American “Mail Boxes Etc” (although I haven’t confirmed this). But the following Wikipedia excerpt says this unambiguously:

The building currently houses some offices of the headquarters of Victoria Police, and the Victoria Police Museum , a collection of exhibits and memorabilia from over 150 years of policing in Victoria.[3] It also houses offices for companies, including Thales Australia.

https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority

Now, I’m not an Ossie, and in fact have never been down under, but it seems likely that the address in the registration is akin to a US business having a World Trade Center address in NYC. It means nothing as far as APNIC asset ownership is concerned. It’s just an address.

I could be wrong. However, it seems a simple fact to verify by calling management at that building. I tried sending email to the registered “.gov.au<http://gov.au>” address:

djk@pma.vic.gov.au<mailto:djk@pma.vic.gov.au>

But the domain does not exist.

-mel beckman

On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg@tristatelogic.com<mailto:rfg@tristatelogic.com>> wrote:

Few of you here probably know about this, but nearly a week ago now
an article appeared in South Africa's largest and most popular online
tech publication, MyBroadband.co.za<http://MyBroadband.co.za>. It detailed many, but certainly not
all of the results of my multi-month investigation of a massive and
ongoing fraud involving the theft of large numbers of large (generally
/16 or larger) abandoned legacy blocks, taken from the AFRINIC region
and beyond:

https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

For various editorial reasons, the article that was published actually
downplayed the magnitude of the of the thefts quite dramatically. The
totality of the IPv4 space that has been stolen or squatted, primarily
but not exclusively, from South African companies and South African national
goverment agencies and departments is actually at least 5x bigger than what
was reported in the MyBroadband.co.za<http://MyBroadband.co.za> article.

The overwhelming majority of this stolen and squatted IPv4 space has
been helpfully routed by Cogent (AS174), to their customer, FDCServers
of Chicago, and then on to the prefered destinations of a certain Mr.
Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
saved traceroutes up the wazoo that prove the involvement of FDCServers,
in particular, in all of this.)

Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
activities, basically grabbing everything that wasn't nailed down, both
within the AFRINIC region and also within the APNIC region.

In order to try to legitimize all of these thefts and squats, Mr. Cohen
created quite a sizable number of fradulent route: objects within the
Merit/RADB data base which, as most here should already know, has
essentially zero authentication of any kind before it allows J. Random
Luser to add pretty much any any route: object he wants to the RADB.

Here's a full listing of all of Mr. Cohen's RADB route: objects as they
existed as recently as August 17th:

https://pastebin.com/raw/ZNgNuvtt

And here is the short summary version showing just all of the prefixes/CIDRs
that Mr. Cohen was effectively claiming rights and/or title to as of that
same date:

https://pastebin.com/raw/4LTaCg5R

Plese do note the numerous blocks of size /16 or greater.

The bottom line is that this one tiny little Israeli company was effectively
claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
August 17th, 2019. (Not too shabby for one lone guy who teaches programming
classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
and generally consists of blocks having sizes of /16 or larger.

Some of Mr. Cohen claims in his RADB entries are as humorous as they
are pathetically fradulent. For example, Mr. Cohen has effectively
claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
Authority of the City of Melbourne, Australia. But hell! That's merely
city property! Mr. Cohen's limitless appetite for other people's IPv4
space is more vividly on display in his claims to ownerhip over the
168.198.0.0/16 block, which actually belongs to the Department of Finance
of the Australian national government. And I haven't even mentioned yet
another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
which he did not see fit to create an RADB entry for, but which he's
been squatting on for for quite some time now, quite clearly with the
aid and assistance of both Cogent and FDCServers. That one belongs to
th City of Cape Town, South Africa. That city's engineers have been
struggling to regain control of their block back from Cogent, from
FDCServers, and from Mr. Cohen for some time now. I know because I've
personally spoken to them about it. Cogent, in its infinite wisdom, is
continuing to fight the city for control over property that clearly and
righfully belongs to the City of Cape Town, even as we speak:

https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view

When asked for LOAs attesting to his legitimate authority to route at
least a few of these blocks, Mr. Cohen has produced blatantly forged
documents, many of which appeared in the MyBroadband.co.za<http://MyBroadband.co.za> story. And
when I say "blatant" that's a gross understatement. Any half-way decent
forger would consider these documents an embarrasment. The documents all
bear identical signatures, and identical and vaguely official looking
stamps, and purport to actually be sales reciepts attesting to the
alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
company called Afrivestment, Ltd., which may actually exist in some
faraway galaxy, or in Mr. Cohen's active imagination, but which both
Google and OpenCorporates.com<http://OpenCorporates.com> seem to agree exists exactly noplace on
this planet. Here are the manufactured LOAs supplied by Mr. Cohen:

https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view

Recently, Cohen started to move some, but not all, of his stolen and squatted
IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
coincidently, just happen to be owned by the exact same pair of Dutch
gentlemen who previously owned the notorious Ecatel, follwed by the notorious
Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
all of its legitimately assigned IP space from its predecessor entities,
Ecatel and Quasi Networks.)

Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
are still helpfully being routed to Mr. Cohen's preferred desitnations by
his good friends at Cogent and FDCServers, even as we speak. The current
set of such routes that Cogent is maintaining, at the moment, apparently on
behalf of their customer, Mr. Cohen, consists of the prefixes listed here:

https://pastebin.com/raw/EA3xJVLF

When I noticed two days ago that all of these routes were still up I was
deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
they not know yet that Cohen is stealing stuff, left, right, and sideways?
Did nobody even tell them about the MyBroadband.co.za<http://MyBroadband.co.za> article which was
published this past Sunday? I decided that it was incumbant upon me to
find out.

Thus, more that 48 hours ago now I sent the following polite but firm
inquiry to Cogent, and a separate nearly identical one directly to the
CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net<http://fdcservers.net>).

https://pastebin.com/raw/ztipqE96

A full forty eight hours later, I have received no reply whatsoever from
either Cogent or FDCServers, not even a "Go pound sand" type of response.

More importantly, most of the stolen IPv4 space that I called out, very
specifically, to both Cogent and FDCservers two+ days ago now is still
being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
still do not know now that Mr. Cohen is a crook, and that he has glommed
onto quite a lot of stolen and squatted IPv4 space... which they have
been helpfully routing for him, no doubt in exchange for some handsome
payments... then I am foreced to say that it appears to be a reasonable
conclusion that it must be because neither Cogent nor FDCServers really
wants to know what sort of a character Cohen is, or what he has been up
to, specifically with their ongoing and material assistance.

But you all be the judges. What does it look like to you?


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Hi,

(Also never been in Australia, unfortunately...)

Netname is "PMANET":
...isn't it OK to assume it could stand for "Port of Melbourne Authority
Network"?

* pma.vic.gov.au is not operational
(i wonder what can be found with passive dns)

* vic.gov.au is still operational.


Quick googling also allowed me to find this:

https://www.portofmelbourne.com/about-us/port-history/timeline/

"1996 Melbourne Port Corporation established as successor to Port of
Melbourne Authority."


Regards,
Carlos



On Fri, 6 Sep 2019, Mel Beckman wrote:

> A quick check of one of your facts produces unexpected results, so you might want to perform more research. According the APNIC,
> 139.44.0.0/16  does not ?belong unambiguously to the Port Authority of Melbourne?. It belongs to an individual, with an office address
> at a building called ?Port Authority of Melbourne?:
> person:
> Rob Shute
>
> address:
> Port of Melbourne Authority
> Level 47 South
> 525 Collins St
>
> country:
> AU
> phone:
> +61 3 9628 7613
> e-mail:
> djk@pma.vic.gov.au
> nic-hdl:
> RS54-AP
> remarks:
> ----------
> remarks:
> imported from ARIN object:
> remarks:
> remarks:
> poc-handle: RS546-ARIN
> remarks:
> is-role: N
> remarks:
> last-name: Shute
> remarks:
> first-name: Rob
> remarks:
> street: Port of Melbourne Authority
> Level 47 South
> 525 Collins St
> remarks:
> country: AU
> remarks:
> mailbox: djk@pma.vic.gov.au
> remarks:
> bus-phone: +61 3 9628 7613
> remarks:
> reg-date: 1970-01-01
> remarks:
> changed: hostmaster@arin.poc 20001127
> remarks:
> source: ARIN
> remarks:
> remarks:
> ----------
> notify:
> djk@pma.vic.gov.au
> mnt-by:
> MNT-ERX-PRTMELAUTH-NON-AU
> last-modified:
> 2008-09-04T07:31:33Z
> source:
> APNIC
> The building called the Port Authority of Melbourne is not, by all accounts, a government agency. It?s just the name of a 54-story
> office building, like the World Trade Center in NYC. In fact, World Trade Centre (Melbourne) is another name for the building, and
> although it houses the Port of Melbourne Authority agency (on Level 4, not Level 47), it appears to be largely just a toney address
> for business offices. Some, perhaps, not unlike American ?Mail Boxes Etc? (although I haven?t confirmed this). But the following Wikipedia
> excerpt says this unambiguously:
>
> The building currently houses some offices of the headquarters of Victoria Police, and the Victoria Police Museum , a collection of
> exhibits and memorabilia from over 150 years of policing in Victoria.[3] It also houses offices for companies, including Thales
> Australia.
>
> https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority
>
> Now, I?m not an Ossie, and in fact have never been down under, but it seems likely that the address in the registration is akin to a
> US business having a World Trade Center address in NYC. It means nothing as far as APNIC asset ownership is concerned. It?s just an
> address.
>
> I could be wrong. However, it seems a simple fact to verify by calling management at that building. I tried sending email to the
> registered ?.gov.au? address:
>
> djk@pma.vic.gov.au
>
> But the domain does not exist. 
>
>  -mel beckman
>
> On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
>
> Few of you here probably know about this, but nearly a week ago now
> an article appeared in South Africa's largest and most popular online
> tech publication, MyBroadband.co.za.  It detailed many, but certainly not
> all of the results of my multi-month investigation of a massive and
> ongoing fraud involving the theft of large numbers of large (generally
> /16 or larger) abandoned legacy blocks, taken from the AFRINIC region
> and beyond:
>
> https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html
>
>
> For various editorial reasons, the article that was published actually
> downplayed the magnitude of the of the thefts quite dramatically.  The
> totality of the IPv4 space that has been stolen or squatted, primarily
> but not exclusively, from South African companies and South African national
> goverment agencies and departments is actually at least 5x bigger than what
> was reported in the MyBroadband.co.za article.
>
> The overwhelming majority of this stolen and squatted IPv4 space has
> been helpfully routed by Cogent (AS174), to their customer, FDCServers
> of Chicago, and then on to the prefered destinations of a certain Mr.
> Elad Cohen of Israel, and his company Netstyle Atarim, Ltd.  (I have
> saved traceroutes up the wazoo that prove the involvement of FDCServers,
> in particular, in all of this.)
>
> Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
> activities, basically grabbing everything that wasn't nailed down, both
> within the AFRINIC region and also within the APNIC region.
>
> In order to try to legitimize all of these thefts and squats, Mr. Cohen
> created quite a sizable number of fradulent route: objects within the
> Merit/RADB data base which, as most here should already know, has
> essentially zero authentication of any kind before it allows J. Random
> Luser to add pretty much any any route: object he wants to the RADB.
>
> Here's a full listing of all of Mr. Cohen's RADB route: objects as they
> existed as recently as August 17th:
>
>    https://pastebin.com/raw/ZNgNuvtt
>
> And here is the short summary version showing just all of the prefixes/CIDRs
> that Mr. Cohen was effectively claiming rights and/or title to as of that
> same date:
>
>    https://pastebin.com/raw/4LTaCg5R
>
> Plese do note the numerous blocks of size /16 or greater.
>
> The bottom line is that this one tiny little Israeli company was effectively
> claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
> August 17th, 2019.  (Not too shabby for one lone guy who teaches programming
> classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
> and generally consists of blocks having sizes of /16 or larger.
>
> Some of Mr. Cohen claims in his RADB entries are as humorous as they
> are pathetically fradulent.  For example, Mr. Cohen has effectively
> claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
> Authority of the City of Melbourne, Australia.  But hell!  That's merely
> city property!  Mr. Cohen's limitless appetite for other people's IPv4
> space is more vividly on display in his claims to ownerhip over the
> 168.198.0.0/16 block, which actually belongs to the Department of Finance
> of the Australian national government.  And I haven't even mentioned yet
> another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
> which he did not see fit to create an RADB entry for, but which he's
> been squatting on for for quite some time now, quite clearly with the
> aid and assistance of both Cogent and FDCServers.  That one belongs to
> th City of Cape Town, South Africa.  That city's engineers have been
> struggling to regain control of their block back from Cogent, from
> FDCServers, and from Mr. Cohen for some time now.   I know because I've
> personally spoken to them about it.  Cogent, in its infinite wisdom, is
> continuing to fight the city for control over property that clearly and
> righfully belongs to the City of Cape Town, even as we speak:
>
>    https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view
>
> When asked for LOAs attesting to his legitimate authority to route at
> least a few of these blocks, Mr. Cohen has produced blatantly forged
> documents, many of which appeared in the MyBroadband.co.za story.  And
> when I say "blatant" that's a gross understatement.  Any half-way decent
> forger would consider these documents an embarrasment.  The documents all
> bear identical signatures, and identical and vaguely official looking
> stamps, and purport to actually be sales reciepts attesting to the
> alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
> company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
> company called Afrivestment, Ltd., which may actually exist in some
> faraway galaxy, or in Mr. Cohen's active imagination, but which both
> Google and OpenCorporates.com seem to agree exists exactly noplace on
> this planet.  Here are the manufactured LOAs supplied by Mr. Cohen:
>
>    https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
>    https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
>    https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view
>
> Recently, Cohen started to move some, but not all, of his stolen and squatted
> IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
> hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
> to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
> coincidently, just happen to be owned by the exact same pair of Dutch
> gentlemen who previously owned the notorious Ecatel, follwed by the notorious
> Quasi Networks.  (IP Volume, Inc. appears to have intherited all or nearly
> all of its legitimately assigned IP space from its predecessor entities,
> Ecatel and Quasi Networks.)
>
> Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
> are still helpfully being routed to Mr. Cohen's preferred desitnations by
> his good friends at Cogent and FDCServers, even as we speak.  The current
> set of such routes that Cogent is maintaining, at the moment, apparently on
> behalf of their customer, Mr. Cohen, consists of the prefixes listed here:
>
>    https://pastebin.com/raw/EA3xJVLF
>
> When I noticed two days ago that all of these routes were still up I was
> deeply confused.  Did both Cogent and FDCServrs not get the memo??  Do
> they not know yet that Cohen is stealing stuff, left, right, and sideways?
> Did nobody even tell them about the MyBroadband.co.za article which was
> published this past Sunday?  I decided that it was incumbant upon me to
> find out.
>
> Thus, more that 48 hours ago now I sent the following polite but firm
> inquiry to Cogent, and a separate nearly identical one directly to the
> CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).
>
>    https://pastebin.com/raw/ztipqE96
>
> A full forty eight hours later, I have received no reply whatsoever from
> either Cogent or FDCServers, not even a "Go pound sand" type of response.
>
> More importantly, most of the stolen IPv4 space that I called out, very
> specifically, to both Cogent and FDCservers two+ days ago now is still
> being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
> promptly paying customer, Mr. Cohen.  If neither Cogent nor FDCServers
> still do not know now that Mr. Cohen is a crook, and that he has glommed
> onto quite a lot of stolen and squatted IPv4 space... which they have
> been helpfully routing for him, no doubt in exchange for some handsome
> payments... then I am foreced to say that it appears to be a reasonable
> conclusion that it must be because neither Cogent nor FDCServers really
> wants to know what sort of a character Cohen is, or what he has been up
> to, specifically with their ongoing and material assistance.
>
> But you all be the judges.  What does it look like to you?
>
>
> Regards,
> rfg
>
>
>
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Important realization: Things don’t always work there like they work here (wherever “here” is for you).

-Ben

> On Sep 6, 2019, at 6:57 AM, Carlos Friaças via NANOG <nanog@nanog.org> wrote:
>
>
> Hi,
>
> (Also never been in Australia, unfortunately...)
>
> Netname is "PMANET":
> ...isn't it OK to assume it could stand for "Port of Melbourne Authority Network"?
>
> * pma.vic.gov.au is not operational
> (i wonder what can be found with passive dns)
>
> * vic.gov.au is still operational.
>
>
> Quick googling also allowed me to find this:
>
> https://www.portofmelbourne.com/about-us/port-history/timeline/
>
> "1996 Melbourne Port Corporation established as successor to Port of
> Melbourne Authority."
>
>
> Regards,
> Carlos
>
>
>
>> On Fri, 6 Sep 2019, Mel Beckman wrote:
>>
>> A quick check of one of your facts produces unexpected results, so you might want to perform more research. According the APNIC,
>> 139.44.0.0/16 does not ?belong unambiguously to the Port Authority of Melbourne?. It belongs to an individual, with an office address
>> at a building called ?Port Authority of Melbourne?:
>> person:
>> Rob Shute
>> address:
>> Port of Melbourne Authority
>> Level 47 South
>> 525 Collins St
>> country:
>> AU
>> phone:
>> +61 3 9628 7613
>> e-mail:
>> djk@pma.vic.gov.au
>> nic-hdl:
>> RS54-AP
>> remarks:
>> ----------
>> remarks:
>> imported from ARIN object:
>> remarks:
>> remarks:
>> poc-handle: RS546-ARIN
>> remarks:
>> is-role: N
>> remarks:
>> last-name: Shute
>> remarks:
>> first-name: Rob
>> remarks:
>> street: Port of Melbourne Authority
>> Level 47 South
>> 525 Collins St
>> remarks:
>> country: AU
>> remarks:
>> mailbox: djk@pma.vic.gov.au
>> remarks:
>> bus-phone: +61 3 9628 7613
>> remarks:
>> reg-date: 1970-01-01
>> remarks:
>> changed: hostmaster@arin.poc 20001127
>> remarks:
>> source: ARIN
>> remarks:
>> remarks:
>> ----------
>> notify:
>> djk@pma.vic.gov.au
>> mnt-by:
>> MNT-ERX-PRTMELAUTH-NON-AU
>> last-modified:
>> 2008-09-04T07:31:33Z
>> source:
>> APNIC
>> The building called the Port Authority of Melbourne is not, by all accounts, a government agency. It?s just the name of a 54-story
>> office building, like the World Trade Center in NYC. In fact, World Trade Centre (Melbourne) is another name for the building, and
>> although it houses the Port of Melbourne Authority agency (on Level 4, not Level 47), it appears to be largely just a toney address
>> for business offices. Some, perhaps, not unlike American ?Mail Boxes Etc? (although I haven?t confirmed this). But the following Wikipedia
>> excerpt says this unambiguously:
>> The building currently houses some offices of the headquarters of Victoria Police, and the Victoria Police Museum , a collection of
>> exhibits and memorabilia from over 150 years of policing in Victoria.[3] It also houses offices for companies, including Thales
>> Australia.
>> https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority
>> Now, I?m not an Ossie, and in fact have never been down under, but it seems likely that the address in the registration is akin to a
>> US business having a World Trade Center address in NYC. It means nothing as far as APNIC asset ownership is concerned. It?s just an
>> address.
>> I could be wrong. However, it seems a simple fact to verify by calling management at that building. I tried sending email to the
>> registered ?.gov.au? address:
>> djk@pma.vic.gov.au
>> But the domain does not exist.
>> -mel beckman
>> On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
>>
>> Few of you here probably know about this, but nearly a week ago now
>> an article appeared in South Africa's largest and most popular online
>> tech publication, MyBroadband.co.za. It detailed many, but certainly not
>> all of the results of my multi-month investigation of a massive and
>> ongoing fraud involving the theft of large numbers of large (generally
>> /16 or larger) abandoned legacy blocks, taken from the AFRINIC region
>> and beyond:
>> https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html
>>
>> For various editorial reasons, the article that was published actually
>> downplayed the magnitude of the of the thefts quite dramatically. The
>> totality of the IPv4 space that has been stolen or squatted, primarily
>> but not exclusively, from South African companies and South African national
>> goverment agencies and departments is actually at least 5x bigger than what
>> was reported in the MyBroadband.co.za article.
>>
>> The overwhelming majority of this stolen and squatted IPv4 space has
>> been helpfully routed by Cogent (AS174), to their customer, FDCServers
>> of Chicago, and then on to the prefered destinations of a certain Mr.
>> Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
>> saved traceroutes up the wazoo that prove the involvement of FDCServers,
>> in particular, in all of this.)
>>
>> Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
>> activities, basically grabbing everything that wasn't nailed down, both
>> within the AFRINIC region and also within the APNIC region.
>>
>> In order to try to legitimize all of these thefts and squats, Mr. Cohen
>> created quite a sizable number of fradulent route: objects within the
>> Merit/RADB data base which, as most here should already know, has
>> essentially zero authentication of any kind before it allows J. Random
>> Luser to add pretty much any any route: object he wants to the RADB.
>>
>> Here's a full listing of all of Mr. Cohen's RADB route: objects as they
>> existed as recently as August 17th:
>>
>> https://pastebin.com/raw/ZNgNuvtt
>>
>> And here is the short summary version showing just all of the prefixes/CIDRs
>> that Mr. Cohen was effectively claiming rights and/or title to as of that
>> same date:
>>
>> https://pastebin.com/raw/4LTaCg5R
>>
>> Plese do note the numerous blocks of size /16 or greater.
>>
>> The bottom line is that this one tiny little Israeli company was effectively
>> claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
>> August 17th, 2019. (Not too shabby for one lone guy who teaches programming
>> classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
>> and generally consists of blocks having sizes of /16 or larger.
>>
>> Some of Mr. Cohen claims in his RADB entries are as humorous as they
>> are pathetically fradulent. For example, Mr. Cohen has effectively
>> claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
>> Authority of the City of Melbourne, Australia. But hell! That's merely
>> city property! Mr. Cohen's limitless appetite for other people's IPv4
>> space is more vividly on display in his claims to ownerhip over the
>> 168.198.0.0/16 block, which actually belongs to the Department of Finance
>> of the Australian national government. And I haven't even mentioned yet
>> another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
>> which he did not see fit to create an RADB entry for, but which he's
>> been squatting on for for quite some time now, quite clearly with the
>> aid and assistance of both Cogent and FDCServers. That one belongs to
>> th City of Cape Town, South Africa. That city's engineers have been
>> struggling to regain control of their block back from Cogent, from
>> FDCServers, and from Mr. Cohen for some time now. I know because I've
>> personally spoken to them about it. Cogent, in its infinite wisdom, is
>> continuing to fight the city for control over property that clearly and
>> righfully belongs to the City of Cape Town, even as we speak:
>>
>> https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view
>>
>> When asked for LOAs attesting to his legitimate authority to route at
>> least a few of these blocks, Mr. Cohen has produced blatantly forged
>> documents, many of which appeared in the MyBroadband.co.za story. And
>> when I say "blatant" that's a gross understatement. Any half-way decent
>> forger would consider these documents an embarrasment. The documents all
>> bear identical signatures, and identical and vaguely official looking
>> stamps, and purport to actually be sales reciepts attesting to the
>> alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
>> company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
>> company called Afrivestment, Ltd., which may actually exist in some
>> faraway galaxy, or in Mr. Cohen's active imagination, but which both
>> Google and OpenCorporates.com seem to agree exists exactly noplace on
>> this planet. Here are the manufactured LOAs supplied by Mr. Cohen:
>>
>> https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
>> https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
>> https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view
>>
>> Recently, Cohen started to move some, but not all, of his stolen and squatted
>> IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
>> hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
>> to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
>> coincidently, just happen to be owned by the exact same pair of Dutch
>> gentlemen who previously owned the notorious Ecatel, follwed by the notorious
>> Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
>> all of its legitimately assigned IP space from its predecessor entities,
>> Ecatel and Quasi Networks.)
>>
>> Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
>> are still helpfully being routed to Mr. Cohen's preferred desitnations by
>> his good friends at Cogent and FDCServers, even as we speak. The current
>> set of such routes that Cogent is maintaining, at the moment, apparently on
>> behalf of their customer, Mr. Cohen, consists of the prefixes listed here:
>>
>> https://pastebin.com/raw/EA3xJVLF
>>
>> When I noticed two days ago that all of these routes were still up I was
>> deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
>> they not know yet that Cohen is stealing stuff, left, right, and sideways?
>> Did nobody even tell them about the MyBroadband.co.za article which was
>> published this past Sunday? I decided that it was incumbant upon me to
>> find out.
>>
>> Thus, more that 48 hours ago now I sent the following polite but firm
>> inquiry to Cogent, and a separate nearly identical one directly to the
>> CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).
>>
>> https://pastebin.com/raw/ztipqE96
>>
>> A full forty eight hours later, I have received no reply whatsoever from
>> either Cogent or FDCServers, not even a "Go pound sand" type of response.
>>
>> More importantly, most of the stolen IPv4 space that I called out, very
>> specifically, to both Cogent and FDCservers two+ days ago now is still
>> being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
>> promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
>> still do not know now that Mr. Cohen is a crook, and that he has glommed
>> onto quite a lot of stolen and squatted IPv4 space... which they have
>> been helpfully routing for him, no doubt in exchange for some handsome
>> payments... then I am foreced to say that it appears to be a reasonable
>> conclusion that it must be because neither Cogent nor FDCServers really
>> wants to know what sort of a character Cohen is, or what he has been up
>> to, specifically with their ongoing and material assistance.
>>
>> But you all be the judges. What does it look like to you?
>>
>> Regards,
>> rfg
>>
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
On Fri, Sep 6, 2019 at 8:13 AM Neo Soon Keat <neo@soonkeat.sg> wrote:

> Sorry, re-sending to include the list.
>
> Looking at the history of the prefix, it does look like it did belong to
> the now-defunct Port of Melbourne Authority, with the matching e-mail
> address. That particular organization, however, no longer exists, having
> been absorbed into the Port of Melbourne Corporation, which is a proper
> statutory organization in Australia.
>
> A quick MX lookup does show that pma.vic.gov.au does not have any
> functioning mail servers on it however, and likely hasn’t been for some
> time (given it was absorbed in 2003).
>
>
it's hard for a domein that doesn't exist to have any records, really...
just sayin.


> On Sep 6, 2019, at 21:26, Mel Beckman <mel@beckman.org> wrote:
>
> ?
> A quick check of one of your facts produces unexpected results, so you
> might want to perform more research. According the APNIC, 139.44.0.0/16
> does not “belong unambiguously to the Port Authority of Melbourne”. It
> belongs to an individual, with an *office address *at a building *called
> “*Port Authority of Melbourne”:
>
> person: Rob Shute
>
> address: Port of Melbourne Authority
> Level 47 South
> 525 Collins St
>
> country: AU
> phone: +61 3 9628 7613
> e-mail: djk@pma.vic.gov.au
> nic-hdl: RS54-AP
> remarks: ----------
> remarks: imported from ARIN object:
> remarks:
> remarks: poc-handle: RS546-ARIN
> remarks: is-role: N
> remarks: last-name: Shute
> remarks: first-name: Rob
> remarks: street: Port of Melbourne Authority
> Level 47 South
> 525 Collins St
> remarks: country: AU
> remarks: mailbox: djk@pma.vic.gov.au
> remarks: bus-phone: +61 3 9628 7613
> remarks: reg-date: 1970-01-01
> remarks: changed: hostmaster@arin.poc 20001127
> remarks: source: ARIN
> remarks:
> remarks: ----------
> notify: djk@pma.vic.gov.au
> mnt-by: MNT-ERX-PRTMELAUTH-NON-AU
> <https://wq.apnic.net/static/search.html?query=MNT-ERX-PRTMELAUTH-NON-AU>
> last-modified: 2008-09-04T07:31:33Z
> source: APNIC
>
> The *building *called the Port Authority of Melbourne is not, by all
> accounts, a government agency. It’s just the name of a 54-story office
> building, like the World Trade Center in NYC. In fact, *World Trade
> Centre (Melbourne) *is another name for the building, and although it
> houses the Port of Melbourne Authority agency (on Level 4, not Level 47),
> it appears to be largely just a toney address for business offices. Some,
> perhaps, not unlike American “Mail Boxes Etc” (although I haven’t confirmed
> this). But the following Wikipedia excerpt says this unambiguously:
>
> *The building currently houses some offices of the headquarters of
> Victoria Police, and the Victoria Police Museum , a collection of exhibits
> and memorabilia from over 150 years of policing in Victoria.[3] It also
> houses offices for companies, including Thales Australia.*
>
> https://en.m.wikipedia.org/wiki/Port_of_Melbourne_Authority
>
> Now, I’m not an Ossie, and in fact have never been down under, but it
> seems likely that the *address* in the registration is akin to a US
> business having a World Trade Center address in NYC. It means nothing as
> far as APNIC asset ownership is concerned. It’s just an address.
>
> I could be wrong. However, it seems a simple fact to verify by calling
> management at that building. I tried sending email to the registered “.
> gov.au” address:
>
> djk@pma.vic.gov.au
>
> But the domain does not exist.
>
> -mel beckman
>
> On Sep 6, 2019, at 1:30 AM, Ronald F. Guilmette <rfg@tristatelogic.com>
> wrote:
>
> Few of you here probably know about this, but nearly a week ago now
> an article appeared in South Africa's largest and most popular online
> tech publication, MyBroadband.co.za. It detailed many, but certainly not
> all of the results of my multi-month investigation of a massive and
> ongoing fraud involving the theft of large numbers of large (generally
> /16 or larger) abandoned legacy blocks, taken from the AFRINIC region
> and beyond:
>
>
> https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html
>
> For various editorial reasons, the article that was published actually
> downplayed the magnitude of the of the thefts quite dramatically. The
> totality of the IPv4 space that has been stolen or squatted, primarily
> but not exclusively, from South African companies and South African
> national
> goverment agencies and departments is actually at least 5x bigger than what
> was reported in the MyBroadband.co.za article.
>
> The overwhelming majority of this stolen and squatted IPv4 space has
> been helpfully routed by Cogent (AS174), to their customer, FDCServers
> of Chicago, and then on to the prefered destinations of a certain Mr.
> Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
> saved traceroutes up the wazoo that prove the involvement of FDCServers,
> in particular, in all of this.)
>
> Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
> activities, basically grabbing everything that wasn't nailed down, both
> within the AFRINIC region and also within the APNIC region.
>
> In order to try to legitimize all of these thefts and squats, Mr. Cohen
> created quite a sizable number of fradulent route: objects within the
> Merit/RADB data base which, as most here should already know, has
> essentially zero authentication of any kind before it allows J. Random
> Luser to add pretty much any any route: object he wants to the RADB.
>
> Here's a full listing of all of Mr. Cohen's RADB route: objects as they
> existed as recently as August 17th:
>
> https://pastebin.com/raw/ZNgNuvtt
>
> And here is the short summary version showing just all of the
> prefixes/CIDRs
> that Mr. Cohen was effectively claiming rights and/or title to as of that
> same date:
>
> https://pastebin.com/raw/4LTaCg5R
>
> Plese do note the numerous blocks of size /16 or greater.
>
> The bottom line is that this one tiny little Israeli company was
> effectively
> claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
> August 17th, 2019. (Not too shabby for one lone guy who teaches
> programming
> classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
> and generally consists of blocks having sizes of /16 or larger.
>
> Some of Mr. Cohen claims in his RADB entries are as humorous as they
> are pathetically fradulent. For example, Mr. Cohen has effectively
> claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
> Authority of the City of Melbourne, Australia. But hell! That's merely
> city property! Mr. Cohen's limitless appetite for other people's IPv4
> space is more vividly on display in his claims to ownerhip over the
> 168.198.0.0/16 block, which actually belongs to the Department of Finance
> of the Australian national government. And I haven't even mentioned yet
> another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
> which he did not see fit to create an RADB entry for, but which he's
> been squatting on for for quite some time now, quite clearly with the
> aid and assistance of both Cogent and FDCServers. That one belongs to
> th City of Cape Town, South Africa. That city's engineers have been
> struggling to regain control of their block back from Cogent, from
> FDCServers, and from Mr. Cohen for some time now. I know because I've
> personally spoken to them about it. Cogent, in its infinite wisdom, is
> continuing to fight the city for control over property that clearly and
> righfully belongs to the City of Cape Town, even as we speak:
>
> https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view
>
> When asked for LOAs attesting to his legitimate authority to route at
> least a few of these blocks, Mr. Cohen has produced blatantly forged
> documents, many of which appeared in the MyBroadband.co.za story. And
> when I say "blatant" that's a gross understatement. Any half-way decent
> forger would consider these documents an embarrasment. The documents all
> bear identical signatures, and identical and vaguely official looking
> stamps, and purport to actually be sales reciepts attesting to the
> alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
> company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
> company called Afrivestment, Ltd., which may actually exist in some
> faraway galaxy, or in Mr. Cohen's active imagination, but which both
> Google and OpenCorporates.com seem to agree exists exactly noplace on
> this planet. Here are the manufactured LOAs supplied by Mr. Cohen:
>
> https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
> https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
> https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view
>
> Recently, Cohen started to move some, but not all, of his stolen and
> squatted
> IPv4 blocks off of Cogent/FDCServers and onto a friendly little
> bullet-proof
> hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
> to its several sister networks, e.g. AS204655 - Novogara Ltd., all of
> which,
> coincidently, just happen to be owned by the exact same pair of Dutch
> gentlemen who previously owned the notorious Ecatel, follwed by the
> notorious
> Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
> all of its legitimately assigned IP space from its predecessor entities,
> Ecatel and Quasi Networks.)
>
> Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
> are still helpfully being routed to Mr. Cohen's preferred desitnations by
> his good friends at Cogent and FDCServers, even as we speak. The current
> set of such routes that Cogent is maintaining, at the moment, apparently on
> behalf of their customer, Mr. Cohen, consists of the prefixes listed here:
>
> https://pastebin.com/raw/EA3xJVLF
>
> When I noticed two days ago that all of these routes were still up I was
> deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
> they not know yet that Cohen is stealing stuff, left, right, and sideways?
> Did nobody even tell them about the MyBroadband.co.za article which was
> published this past Sunday? I decided that it was incumbant upon me to
> find out.
>
> Thus, more that 48 hours ago now I sent the following polite but firm
> inquiry to Cogent, and a separate nearly identical one directly to the
> CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).
>
> https://pastebin.com/raw/ztipqE96
>
> A full forty eight hours later, I have received no reply whatsoever from
> either Cogent or FDCServers, not even a "Go pound sand" type of response.
>
> More importantly, most of the stolen IPv4 space that I called out, very
> specifically, to both Cogent and FDCservers two+ days ago now is still
> being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
> promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
> still do not know now that Mr. Cohen is a crook, and that he has glommed
> onto quite a lot of stolen and squatted IPv4 space... which they have
> been helpfully routing for him, no doubt in exchange for some handsome
> payments... then I am foreced to say that it appears to be a reasonable
> conclusion that it must be because neither Cogent nor FDCServers really
> wants to know what sort of a character Cohen is, or what he has been up
> to, specifically with their ongoing and material assistance.
>
> But you all be the judges. What does it look like to you?
>
>
> Regards,
> rfg
>
>
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
In message <5233B9B9-1BFF-425D-BB8F-E3853703B3F3@beckman.org>,
Mel Beckman <mel@beckman.org> wrote:

>A quick check of one of your facts produces unexpected results, so you might
>want to perform more research. According the APNIC, 139.44.0.0/16 does not
>“belong unambiguously to the Port Authority of Melbourne”.

Please, let's not start staring at -one- tree out of the sveeral that
I've talked about, and then start arguing about the shape of the pine
cones on that one tree. Doing that will give short shrift to the
rather larger forrest that I've tried to expose here.

Is anyone disputing that 168.198.0.0/16 belongs to the Australian
national government, or that AS174, Cogent was, until quite recently,
routing that down to their pals at FDCServers who then were routing
it down to their customer, Elad Cohen? If so, I ask that people look
up this network in the RIPE Routing history tool and ALSO that folks
have a look at, and explain, the following traceroute from August 23:

https://pastebin.com/raw/2nJtbwjs

Is anyone disputing that the 165.25.0.0/16 block rightfully belongs to
the City of Cape Town, or that Cogent -continues- even as we speak, to
announce a competing route to it? If so, I ask any such parties to please
explain this traceroute from August 20th:

https://pastebin.com/raw/2nJtbwjs

Is anyones disputing that the LOAs that Mr. Cohen has produced in response
to queries about some of the blocks he has stolen, and then routed via
Cogent and FDCServers, are blatant and indeed really bad forgeries?

Is anyone disputing that Mr. Cohen has, in effect, and via the Merit/RADB
data base, claimed rights over more than a million IPv4 addresses, many
of which self-evidently do not belong to him, or that Mr. Cohen's gracious
and helpful providers, FDCSewers and Cogent appear to have effectively
turned a blind eye to all this, or that they continue to do so, even as
we speak?

The Subject line that I used to start this thread may have seemed to some
to be over-the-top and provocative, but to be frank, I think now that I
may have not gone far enough. Cogent has been announcing a route to
the 165.25.0.0/16 block, which unambiguously belongs to the City of
Cape Town, At what point does such interference with legitimate
governmental functions an authority, on Cogent's part, cross over from
being merely bad manners and into the realm of criminality?


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
In message <23540.1567802066@segfault.tristatelogic.com>, I wrote:

>Is anyone disputing that 168.198.0.0/16 belongs to the Australian
>national government, or that AS174, Cogent was, until quite recently,
>routing that down to their pals at FDCServers who then were routing
>it down to their customer, Elad Cohen? If so, I ask that people look
>up this network in the RIPE Routing history tool and ALSO that folks
>have a look at, and explain, the following traceroute from August 23:
>
> https://pastebin.com/raw/2nJtbwjs

My apologies. In my furious haste, I botched that one URL. Here is the
correct file conatining my traceroute to 168.198.12.242 as performed by
me on August 23rd:

https://pastebin.com/raw/TrLbGZuW


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Hello Ronald,

if you'd open the traceroute you just sent you'd see that the target is route looping and not actually used by their alleged customer? Since the loop is actually between the FDC aggregation router and Cogent's backbone router. Also, what would the target IP have been in this case, since it was omitted?
On Sep. 6 2019, at 11:06 pm, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
> In message <23540.1567802066@segfault.tristatelogic.com>, I wrote:
>
> > Is anyone disputing that 168.198.0.0/16 belongs to the Australian
> > national government, or that AS174, Cogent was, until quite recently,
> > routing that down to their pals at FDCServers who then were routing
> > it down to their customer, Elad Cohen? If so, I ask that people look
> > up this network in the RIPE Routing history tool and ALSO that folks
> > have a look at, and explain, the following traceroute from August 23:
> >
> > https://pastebin.com/raw/2nJtbwjs
> My apologies. In my furious haste, I botched that one URL. Here is the
> correct file conatining my traceroute to 168.198.12.242 as performed by
> me on August 23rd:
>
> https://pastebin.com/raw/TrLbGZuW
>
> Regards,
> rfg
>
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
In message <67B3E0D5-7D09-42E2-A753-EB6C93859F12@getmailspring.com>,
Florian Brandstetter <florianb@globalone.io> wrote:

>if you'd open the traceroute you just sent you'd see that the target
>is route looping and not actually used by their alleged customer?

Yea. So? How is that relevant to my fundamental narrative?

Cogent was announcing the whole of 168.198.0.0/16. Do we agree?

Theye were most probably *not* doing so just for laughs or just to
create routing loops. Do we agree?

Traceroutes show that from Cogent, packets were further being passed
to FDCServers. Do we agree?

Now, if you want to know who FDCSewer's customer was in this case,
why don't you try asking them?

I am satisfied that the intel that I've already collected indicates
the exceptionally high probability that this entire legacy /16 block...
along with many many others, also of entirely dubious provenance...
were all being routed to and for a certain Mr. Elad Cohen and his
company, Netstyle Atarim, Ltd.:

organisation: ORG-NAL9-RIPE
org-name: NETSTYLE A. LTD
org-type: LIR
address: Derech Menachem Begin 156
address: 6492108
address: Tel-Aviv
address: ISRAEL
phone: +972-1-800-204-404
e-mail: info (at) netstyle.io

>Also, what would the target IP have been in this case, since it was omitted?

If you look carefully, I gave that in the post you are responding to:

>> My apologies. In my furious haste, I botched that one URL. Here is the
>> correct file conatining my traceroute to 168.198.12.242 as performed by
>> me on August 23rd:
>>
>> https://pastebin.com/raw/TrLbGZuW


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Ron,

I’m just saying that I randomly checked one fact and it doesn’t meet the level of positive certainty that you asserted. It’s thus reasonable to ask you to double check your research all around. I’m not willing to be your unpaid copy editor, so let me know when you’ve done a double check and I’ll be willing to invest time in your story again.

-mel via cell

> On Sep 6, 2019, at 2:07 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
>
> In message <23540.1567802066@segfault.tristatelogic.com>, I wrote:
>
>> Is anyone disputing that 168.198.0.0/16 belongs to the Australian
>> national government, or that AS174, Cogent was, until quite recently,
>> routing that down to their pals at FDCServers who then were routing
>> it down to their customer, Elad Cohen? If so, I ask that people look
>> up this network in the RIPE Routing history tool and ALSO that folks
>> have a look at, and explain, the following traceroute from August 23:
>>
>> https://pastebin.com/raw/2nJtbwjs
>
> My apologies. In my furious haste, I botched that one URL. Here is the
> correct file conatining my traceroute to 168.198.12.242 as performed by
> me on August 23rd:
>
> https://pastebin.com/raw/TrLbGZuW
>
>
> Regards,
> rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
The fact that the port authority building is also an office building with multiple other tenants?

Whois contacts on a defunct domain belonging to an Australian government port authority agency that?s since been renamed don?t appear to support your hypothesis that this is another tenant of a government owned building.

--srs

________________________________
From: NANOG <nanog-bounces@nanog.org> on behalf of Mel Beckman <mel@beckman.org>
Sent: Saturday, September 7, 2019 5:30 AM
To: Ronald F. Guilmette
Cc: nanog@nanog.org
Subject: Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

Ron,

I?m just saying that I randomly checked one fact and it doesn?t meet the level of positive certainty that you asserted. It?s thus reasonable to ask you to double check your research all around. I?m not willing to be your unpaid copy editor, so let me know when you?ve done a double check and I?ll be willing to invest time in your story again.

-mel via cell

> On Sep 6, 2019, at 2:07 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
>
> In message <23540.1567802066@segfault.tristatelogic.com>, I wrote:
>
>> Is anyone disputing that 168.198.0.0/16 belongs to the Australian
>> national government, or that AS174, Cogent was, until quite recently,
>> routing that down to their pals at FDCServers who then were routing
>> it down to their customer, Elad Cohen? If so, I ask that people look
>> up this network in the RIPE Routing history tool and ALSO that folks
>> have a look at, and explain, the following traceroute from August 23:
>>
>> https://pastebin.com/raw/2nJtbwjs
>
> My apologies. In my furious haste, I botched that one URL. Here is the
> correct file conatining my traceroute to 168.198.12.242 as performed by
> me on August 23rd:
>
> https://pastebin.com/raw/TrLbGZuW
>
>
> Regards,
> rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
In message <D12EFE8F-466E-4751-BF67-967C8696B4E4@beckman.org>,
Mel Beckman <mel@beckman.org> wrote:

>I’m just saying that I randomly checked one fact and it doesn’t meet
>the level of positive certainty that you asserted. It’s thus reasonable
>to ask you to double check your research all around. I’m not willing
>to be your unpaid copy editor, so let me know when you’ve done a double
>check and I’ll be willing to invest time in your story again.

Well, let's dissect that a bit. You're asserting an inadequate "level of
positive certainty" but you have not specified about what, in particular.

I posted a link to a list of 71 different RADB entries that were present
in the Merit/RADB data base as of August 17th, all of which gave every
appearance of having been created by Mr. Elad Cohen. I will assume for
the moment that you are not calling into question the "positive certainty"
that I have about any of that data or about any of those RADB entries.

Out of those 71 routes, most of which appear to be rather clearly fradulent,
you have picked out exactly and only -one- of those 71, and your only
criticism seems to be that I haven't been quite precise enough in my
identification of the exact victim, somewhere in Australia, in that one
particular case.

I just want to make sure that I understand. You're -not- claiming that
either Mr. Cohen or FDCServers, or Cogent had any legitimate rights or
titles to that specific block (139.44.0.0/16), correct? You are only
claiming that I have mis-identified the victim of this particular squat as
being `X' when I should more properly have said that the actual victim
was in fact `Y'. Am I summarizing your criticism accurately?


Regards,
rfg


P.S. Not that it matters to the point Mel raised, but I would like
to just note in passing that the 139.44.0.0/16 block, may perhaps *not*
in fact be routed by AS174 (Cogent) anymore, although it did appear to
still be routed by AS17, at least to bgp.he.net, as of 05 Sep 2019 20:34
PST:

https://bgp.he.net/net/139.44.0.0/16

More current data from RIPEStat indicates that this entire /16 is now
being routed by Mr. Cohen's new good friends at AS204655, Novogara Ltd.,
which appears to be owned and operated by the same two sterling Dutch
gentlemen, Mr. Ferdinand Reinier Van Eeden and Mr. Bartholomeus Johannes
("Bap") Karreman, who also appear to be the owners/operators of what
is noadays called "IP Volume Inc." and which previously was known as
Quasi Networks, and which was, before that, known as Ecatel.

Novogara appears to have become home to quite a number of sizable IPv4
legacy blocks, from both the AFRINIC region and also the APNIC region,
in very recent days:

https://bgp.he.net/AS204655#_prefixes

The fact that there seems to be a rather significant correlation between
the IPv4 legacy blocks currently being announced by Mr. Van Eeden's and
Mr. Karreman's several Dutch ASNs and the list of pilfered IPv4 legacy
blocks that Mr. Cohen was kind enough to supply in the RADB data base
should, in my opinion, come as a surprise to exactly no one.
Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Hi Ronald,
APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and brought this matter to their attention.
Regards,

Vivek
Member Services Manager, APNIC



From: Ronald F. Guilmette <rfg@tristatelogic.com>
Date: Fri, Sep 6, 2019 at 6:30 PM
Subject: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?
To: <nanog@nanog.org>


Few of you here probably know about this, but nearly a week ago now
an article appeared in South Africa's largest and most popular online
tech publication, MyBroadband.co.za. It detailed many, but certainly not
all of the results of my multi-month investigation of a massive and
ongoing fraud involving the theft of large numbers of large (generally
/16 or larger) abandoned legacy blocks, taken from the AFRINIC region
and beyond:

https://mybroadband.co.za/news/internet/318205-the-big-south-african-ip-address-heist-how-millions-are-made-on-the-grey-market.html

For various editorial reasons, the article that was published actually
downplayed the magnitude of the of the thefts quite dramatically. The
totality of the IPv4 space that has been stolen or squatted, primarily
but not exclusively, from South African companies and South African national
goverment agencies and departments is actually at least 5x bigger than what
was reported in the MyBroadband.co.za article.

The overwhelming majority of this stolen and squatted IPv4 space has
been helpfully routed by Cogent (AS174), to their customer, FDCServers
of Chicago, and then on to the prefered destinations of a certain Mr.
Elad Cohen of Israel, and his company Netstyle Atarim, Ltd. (I have
saved traceroutes up the wazoo that prove the involvement of FDCServers,
in particular, in all of this.)

Mr. Cohen has been exceptionally prolific in his IPv4 theft and squatting
activities, basically grabbing everything that wasn't nailed down, both
within the AFRINIC region and also within the APNIC region.

In order to try to legitimize all of these thefts and squats, Mr. Cohen
created quite a sizable number of fradulent route: objects within the
Merit/RADB data base which, as most here should already know, has
essentially zero authentication of any kind before it allows J. Random
Luser to add pretty much any any route: object he wants to the RADB.

Here's a full listing of all of Mr. Cohen's RADB route: objects as they
existed as recently as August 17th:

https://pastebin.com/raw/ZNgNuvtt

And here is the short summary version showing just all of the prefixes/CIDRs
that Mr. Cohen was effectively claiming rights and/or title to as of that
same date:

https://pastebin.com/raw/4LTaCg5R

Plese do note the numerous blocks of size /16 or greater.

The bottom line is that this one tiny little Israeli company was effectively
claiming rights to a total of no fewer than 1,015,808 IPv4 addresses as of
August 17th, 2019. (Not too shabby for one lone guy who teaches programming
classes as a side job!) Vitrually all of the space is "legacy" IPv4 space,
and generally consists of blocks having sizes of /16 or larger.

Some of Mr. Cohen claims in his RADB entries are as humorous as they
are pathetically fradulent. For example, Mr. Cohen has effectively
claimed rights to 139.44.0.0/16 which unambiguously belongs to the Port
Authority of the City of Melbourne, Australia. But hell! That's merely
city property! Mr. Cohen's limitless appetite for other people's IPv4
space is more vividly on display in his claims to ownerhip over the
168.198.0.0/16 block, which actually belongs to the Department of Finance
of the Australian national government. And I haven't even mentioned yet
another of Mr. Cohen volumous IPv4 acqusitions, the 165.25.0.0/16 block,
which he did not see fit to create an RADB entry for, but which he's
been squatting on for for quite some time now, quite clearly with the
aid and assistance of both Cogent and FDCServers. That one belongs to
th City of Cape Town, South Africa. That city's engineers have been
struggling to regain control of their block back from Cogent, from
FDCServers, and from Mr. Cohen for some time now. I know because I've
personally spoken to them about it. Cogent, in its infinite wisdom, is
continuing to fight the city for control over property that clearly and
righfully belongs to the City of Cape Town, even as we speak:

https://drive.google.com/file/d/1ytRj1CtuVhDa0eGu4BT-oEz593y5EwJa/view

When asked for LOAs attesting to his legitimate authority to route at
least a few of these blocks, Mr. Cohen has produced blatantly forged
documents, many of which appeared in the MyBroadband.co.za story. And
when I say "blatant" that's a gross understatement. Any half-way decent
forger would consider these documents an embarrasment. The documents all
bear identical signatures, and identical and vaguely official looking
stamps, and purport to actually be sales reciepts attesting to the
alleged purchases, by Mr. Cohen's offshore Seychelles Islands shell
company, Afri Holdings, Ltd., of various /16 blocks from a mysterious
company called Afrivestment, Ltd., which may actually exist in some
faraway galaxy, or in Mr. Cohen's active imagination, but which both
Google and OpenCorporates.com seem to agree exists exactly noplace on
this planet. Here are the manufactured LOAs supplied by Mr. Cohen:

https://drive.google.com/file/d/1hVjmR6u0ANltuXtZ-Kng8io-EGFyevTR/view
https://drive.google.com/file/d/1x_44_H5hkcFLhEwpkwfFoR5PJUyXHzxJ/view
https://drive.google.com/file/d/1yQyqn4q_f3bt-wDVoN1FzbXf1k58DXtK/view

Recently, Cohen started to move some, but not all, of his stolen and squatted
IPv4 blocks off of Cogent/FDCServers and onto a friendly little bullet-proof
hosting company in the Netherlands named IP Volume, Inc. (AS202425) and/or
to its several sister networks, e.g. AS204655 - Novogara Ltd., all of which,
coincidently, just happen to be owned by the exact same pair of Dutch
gentlemen who previously owned the notorious Ecatel, follwed by the notorious
Quasi Networks. (IP Volume, Inc. appears to have intherited all or nearly
all of its legitimately assigned IP space from its predecessor entities,
Ecatel and Quasi Networks.)

Despite these relocations, many of Mr. Cohen's stolen and squatted blocks
are still helpfully being routed to Mr. Cohen's preferred desitnations by
his good friends at Cogent and FDCServers, even as we speak. The current
set of such routes that Cogent is maintaining, at the moment, apparently on
behalf of their customer, Mr. Cohen, consists of the prefixes listed here:

https://pastebin.com/raw/EA3xJVLF

When I noticed two days ago that all of these routes were still up I was
deeply confused. Did both Cogent and FDCServrs not get the memo?? Do
they not know yet that Cohen is stealing stuff, left, right, and sideways?
Did nobody even tell them about the MyBroadband.co.za article which was
published this past Sunday? I decided that it was incumbant upon me to
find out.

Thus, more that 48 hours ago now I sent the following polite but firm
inquiry to Cogent, and a separate nearly identical one directly to the
CEO of FDCServers, Mr. Petr Kral (petr(at)fdcservers.net).

https://pastebin.com/raw/ztipqE96

A full forty eight hours later, I have received no reply whatsoever from
either Cogent or FDCServers, not even a "Go pound sand" type of response.

More importantly, most of the stolen IPv4 space that I called out, very
specifically, to both Cogent and FDCservers two+ days ago now is still
being routed by Cogent/FDCservers to their fun-loving and, I'm sure,
promptly paying customer, Mr. Cohen. If neither Cogent nor FDCServers
still do not know now that Mr. Cohen is a crook, and that he has glommed
onto quite a lot of stolen and squatted IPv4 space... which they have
been helpfully routing for him, no doubt in exchange for some handsome
payments... then I am foreced to say that it appears to be a reasonable
conclusion that it must be because neither Cogent nor FDCServers really
wants to know what sort of a character Cohen is, or what he has been up
to, specifically with their ongoing and material assistance.

But you all be the judges. What does it look like to you?


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
In message <9567B241-12CE-4728-8E73-FF7143907CEF@apnic.net>,
Vivek Nigam <vivek@apnic.net> wrote:

>APNIC has contacted the custodians of 139.44.0.0/16 and 168.198.0.0/16 and
>brought this matter to their attention.

Excellent. Thank you.

If possible, it would be Good if APNIC could also make contact with the
rightful owners of the following additional 3 Japanese blocks, all of
which were, of late, routed by Cogent to FDCServers and thence, presumably,
to Mr. Cohen.

143.136.0.0/16
143.253.0.0/16
146.51.0.0/16

I tried to make contact myself with the legit owners of all of the above,
but found it to be quite difficult. The registered owner of the first
one appears to have gone into hiding on a remote island someplace. I only
say that because, despite some considerable effort on my part, I was not
able to find him. Making contact with the legitimate owners of the other
two blocks, both of which belong to Japanese corporations that are still
very much alive, was rather difficult also, because I am only a stupid
gaijin, and don't speak a word of Japanese.


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Ronald F. Guilmette wrote:

> If possible, it would be Good if APNIC could also make contact with the
> rightful owners of the following additional 3 Japanese blocks,

Because whois contact information is, seemingly by acquisition
and relocation, obsolete, it should be impossible for APNIC
to do so.

> 143.136.0.0/16
> 143.253.0.0/16
> 146.51.0.0/16
>
> I tried to make contact myself with the legit owners of all of the above,
> but found it to be quite difficult. The registered owner of the first
> one appears to have gone into hiding on a remote island someplace.

From whois information:

remarks: reg-date: 1993-03-22

notify: tmiyoko@gaijin.co.jp
mnt-by: MNT-ERX-CROSFIELDELE-NON-JP
last-modified: 2008-09-04T07:31:15Z

I guess CROSFIELDELE is Japanese branch of:

https://en.wikipedia.org/wiki/Crosfield_Electronics
The firm was eventually taken over by Fujifilm Japan and named
Fujifilm Electronic Imaging, now FFEI Ltd. following a
management buy-out in 2008.[1]

though, according to:

https://www.ffei.co.uk/about-ffei-design-and-manufacture-digital-inkjet/

MBO was in 2006. In the page, we can also confirm that FFEI was
crosfield until 1997.


> Making contact with the legitimate owners of the other
> two blocks, both of which belong to Japanese corporations that are still
> very much alive, was rather difficult also, because I am only a stupid
> gaijin, and don't speak a word of Japanese.

Both relocated. I send queries to the current contact points.

Maybe, blocks with stale contact information are attacked.

Masataka Ohta
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
In message <152f0dbc-f7af-2a78-c5a7-f2062effed23@necom830.hpcl.titech.ac.jp>,
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:

> From whois information:
>
> remarks: reg-date: 1993-03-22
>
> notify: tmiyoko@gaijin.co.jp
^^^^^^^^^^^^


I already talked to the guy who has owned the above domain name for mre than
25+ years. He's an American, living in Southern California, who these days
runs a solar panel installation company.

He told me that he has no way to find "tmiyoko" anymore and that that guy
was just one of thousands of customers the guy in SoCal had, back 20+ years
ago, for his Japanese ISP business.


Regards,
rfg
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Ronald F. Guilmette wrote:

To me:

>> notify: tmiyoko@gaijin.co.jp

merely suggest miyoko has some relationships with
gaijin (foreigners), which is partly why I guess:

www.ffei.co.uk

is the owner.

Masataka Ohta
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
As I wrote:

>>      143.136.0.0/16
>>      143.253.0.0/16
>>      146.51.0.0/16
>>
>> I tried to make contact myself with the legit owners of all of the above,
>> but found it to be quite difficult.  The registered owner of the first
>> one appears to have gone into hiding on a remote island someplace.

> Both relocated. I send queries to the current contact points.

I get reply from technical people in a company, which has
originally assigned:

146.51.0.0/16

they said they have never transferred the block and allow me
to post so here.

So, RADB entry:

https://pastebin.com/raw/ZNgNuvtt
route: 146.51.0.0/16
origin: AS174
descr: Cogent
mnt-by: MAINT-AS199267
changed: elad@netstyle.io 20190710 #17:02:13Z
source: RADB

is confirmed to be registration fraud.

Masataka Ohta
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
On Fri, Oct 11, 2019 at 08:14:00PM +0900,
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote
a message of 34 lines which said:

> they said they have never transferred the block

> So, RADB entry:
...
> route: 146.51.0.0/16
> origin: AS174
...
> is confirmed to be registration fraud.

I nitpick, but "never transferred the block" is not the same thing as
"never authorized Cogent to announce it".
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
Stephane Bortzmeyer wrote:
> On Fri, Oct 11, 2019 at 08:14:00PM +0900,
> Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote
> a message of 34 lines which said:
>
>> they said they have never transferred the block
>
>> So, RADB entry:
> ...
>> route: 146.51.0.0/16
>> origin: AS174
> ...
>> is confirmed to be registration fraud.
>
> I nitpick, but "never transferred the block" is not the same thing as
> "never authorized Cogent to announce it".

Cogent? I think cogent is innocent.

What, do you think:

changed: elad@netstyle.io 20190710 #17:02:13Z

mean?

Masataka Ohta
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
> On Oct 11, 2019, at 6:28 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>
> I nitpick, but "never transferred the block" is not the same thing as
> "never authorized Cogent to announce it”.

This should not be just a “nitpick". AT&T announces our extremely legacy ARIN allocation for us because we do not qualify to have an ASN, but I absolutely did not, will not, and *have actively resisted attempts to* transfer the block to them. I would sooner have my gums tattooed than give up my address space. Having an ASN was not a requirement when we were allocated the resource, and I don’t see why we should be punished for being early adopters.
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
On Fri, Oct 11, 2019 at 7:16 AM Daniel Seagraves <
dseagrav@humancapitaldev.com> wrote:

> > On Oct 11, 2019, at 6:28 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr>
> wrote:
> >
> > I nitpick, but "never transferred the block" is not the same thing as
> > "never authorized Cogent to announce it”.
>
> This should not be just a “nitpick". AT&T announces our extremely legacy
> ARIN allocation for us because we do not qualify to have an ASN, but I
> absolutely did not, will not, and *have actively resisted attempts to*
> transfer the block to them. I would sooner have my gums tattooed than give
> up my address space. Having an ASN was not a requirement when we were
> allocated the resource, and I don’t see why we should be punished for being
> early adopters.
>

Getting an AS number is as easy as getting two $20/month virtual servers
(e.g. from Vultr and one other provider) and then applying for one from
ARIN on the grounds that you're multihomed. As a bonus, you can actually
announce it from the VPS provider with a couple prepends, link back to your
site with a VPN through whatever cheap commodity backup path you can get
and actually be multihomed.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
On 10/11/19 07:16, Daniel Seagraves wrote:
> This should not be just a “nitpick". AT&T announces our extremely legacy ARIN allocation for us because we do not qualify to have an ASN, but I absolutely did not, will not, and*have actively resisted attempts to* transfer the block to them. I would sooner have my gums tattooed than give up my address space. Having an ASN was not a requirement when we were allocated the resource, and I don’t see why we should be punished for being early adopters.

How exactly is it punishment that BGP needs an AS number? If AT&T won't
support a private AS number for the last mile then that's AT&T, not
ARIN. If you're a legacy holder you should be around long enough to know
this stuff and that it's not some conspiracy that BGP uses AS numbers.
Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft? [ In reply to ]
> On Oct 12, 2019, at 12:22 PM, Seth Mattinen <sethm@rollernet.us> wrote:
>
> How exactly is it punishment that BGP needs an AS number?

It’s not. I was objecting to the implication that if someone announces a prefix that has not been transferred to their ownership it is fraudulent or shady, and as a consequence I should be forced to surrender my addresses since I can’t announce them myself.