This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] HostSailor, TrendMicro, & Censorship of Internet Security Reporting
- Previous message (by thread): [anti-abuse-wg] AS60117 (HostSailor) and "Mayko Evgeniy"
- Next message (by thread): [anti-abuse-wg] Mr. Alexander Freeman
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jul 14 23:39:14 CEST 2016
Late yesterday, I posted here a list of over 5,000 domain names, scattered across 205 different IPv4 addresses, all of them on AS60117 (HostSailor), and all of them connected to rather unambiguously to a "Mayko Evgeniy" who has been identified elsewhere as the registrant of a number of similar nonsense .TOP domain names which have been used to distribute the Angler Exploit Kit. My report also included a number of links to other evidence which would tend to support the view that HostSailor is, at thee very least, tolerant of this sort of untoward and/or outright criminal activity on its network. In particular, I called attention to the following damning report done by TrendMicro, which is clearly all about HostSailor: Looking Into a Cyber-Attack Facilitator in the Netherlands http://bit.ly/1WHyftV I also noted that it appeared that this detailed online report had been "scrubbed", AFTER ITS INITIAL PUBLICATION, of any specific or explicit mention of either HostSailor or its alleged director, Mr. Alexander Freeman. Apparently, the report's authors even went to such lengths as applying white-out to conceal Mr. Freeman's last name from the .PNG image file, included in the report, which showed/shows (a redacted version of) Mr. Freeman's LinkedIn page: http://bit.ly/29GkNYn -- LinkedIn page as redacted by TrendMicro http://bit.ly/29GOIeO -- Mr. Freeman's actual LinkedIn page In that same posting of mine yesterday, I wondered aloud about what could possibly have caused TrendMicro to self-censor their own otherwise brilliant report about this rogue network, after its initial/original publication, but only in a very limited way... removing _just_ the incriminating fingerprints from the body, so to speak. (It appeared/ appears that the only thing(s) that TrendMicro alterered or removed when they revised/redacted their report was just any and all explicit mentions of either Mr. Freeman or Host Sailor, Ltd. Those explict mentions.. of either the company name or Mr. Freeman's name... were all redacted in the revised/redacted version of the report.) In my posting yesterday, I specifically mentioned that this sort of (otherwise inexplicable) behavior on TrendMicro's part... i.e. the self-censoring of their own report... could perhaps be explained by possibility that the company's lawyers may have received some sort of threat of legal action. This seemed like a logical and obvious possibility, but at the time (yesterday), that was just utterly baseless speculation on my part. That has now changed. In the wake of my posting yesterday, Mr. Freeman sent me, via private e-mail, the lengthy and virulent screed which is appended below. This private e-mail message utterly removes any doubts I might have had that Mr. Freeman and/or his company might attempt to use bogus legal threats to deter anyone who dares to simply report the publically accessible known facts and evidence about his network and/or the criminal activities of his various customers. As can be clearly seen in the email below, Mr. Freeman states that "you'll hear from our legal team" and "the person who will be locked behind bars or pay a huge sum of compensation will be you". Of course, Mr. Freeman's legal threats against me aren't absolute proof that he and/or Hostsailor have been going around issuing legal threats to others... in particular, TrendMicro... in an effort to intimidate honest citizens, journalists, and malware researchers into keeping quiet about the goings on within the HostSailor network. But Mr. Freeman's explicit legal threats against me quite certainly _are_, at the very least, strongly suggestive that Mr. Freeman and/or Hostsailor may have sent similar threats of legal action also to TrendMicro, and that such threats may in fact have been the reason why TrendMicro self-censored its own well-researched report after its initial, original, and uncensored first publication. If that is indeed the explanation for TrendMicro's self-censoring of its own detailed report on HostSailor, then it is deeply troubling. Essentially every well-known company that specalizes in providing network security solutions to business, industry, governments, academia, and individuals operates its own blog thess days. Whereas a lot of the information that's posted to these company-specific blogs is primarily intended to show off the prowess and technological expertise of the companies in question, these blogs also provide the results of in-depth investigations and vast amounts of incredibly useful data, facts, and intelligence to the entire security community, to the entire Internet community, and, of course, to law enforce- ment. If the various companies that run these blogs are going to adopt a habit of self-censoring in response to every bogus legal threat, no matter how silly and absurd, and no matter what thin, dodgy, and dubious "companies" originate them, then we are all going to be much worse off, in the end, due to the increasing lack of public information about real security threats and incidents. Here and elsewhere, I will be calling upon TrendMicro show some semblance of a backbone, and for them to RESTORE to the web the ORIGINAL version of their very detailed report about the various kind of criminality that they connected to the Hostsailor network. My calls for them to do this may certainly go unanswered, but I believe that it is worth the effort anyway. Additionally, I ask *all* companies in the security space, but particularly those in the U.S., which enjoy the freedom and protection of the First Amendment, to fiercely resist the temptation to quietly bow down and knuckle under in the face of all baseless legal threats, but, in particular, those that arrive from corporate entities whose only legal existance... if they exist at all... is limited to dodgy jurisdictions, including but not limited to: Russia, Luxembourg, Belize, Panama, and pretty much every country in the Middle East. (Oh yea... and also the British Virgin Islands, the Maldives, the Seychelles Islands, and Labuan.) Here in the U.S., we have this little thing called the First Amendment. For more than 200 years, men have fought and died to protect it, not just for me, not just for average Joe Citizen of the U.S.A., but also for the likes of TrendMicro. In this case, TrendMicro's apparent ill-considered self-censorship represents a disrespect for the memory, legacy, and sacrafice of all of those valiant lives, and I hope that, in the end, the company will think better of it, do the Right Thing, and stand up to these bullies. They should do that, if not for the sake of the First Amendment, then for their own sakes. The sight of a $5 billion dollar company being cowed by hollow legal threat from some pipsqueak of a company that's hiding out in a tax-haven country is really pretty revolting, and by rights ought to be publically humiliating for TrendMicro. And under the circumtances, I don't think that it is at all improper to ask the question: Is TrendMicro also and likewise adjusting the parameters of the filtering and/or security products it sells, based upon bogus legal threats from other crimeware supporting pipsqueaks? One hopes not, but... For my own part, let me just say: I stand by my report of yesterday. Regards, rfg P.S. In the very slim, unlikely, and implausible event that Mr. Freeman and/or "Host Sailor, Ltd." turn out to be real things AND that they do in fact elect to proceed to legal action, I just want to say how very much I look forward to both (a) witnessing Mr. Freeman's deposition and (b) reading all of his business records, in particular those pertaining to his various criminal and/or otherwise dodgy customers. (I would quite certainly request all of those, during discovery, of course, with an appropriate set of subpoena duces tecum.) It should all prove very enlightening. ------- Forwarded Message From: Alexander Freeman <ripe at hostsailor.com> Subject: Re: [rfg295165] Another crimeware IP on your network - 185.106.122.106 Reply-To: ripe at hostsailor.com References: <48781.1467147180 at server1.tristatelogic.com> To: "Ronald F. Guilmette" <rfg at tristatelogic.com> Organization: Host Sailor Ltd. Message-ID: <783dc7a7-890e-34e3-57ae-cfa6e2a77aa3 at hostsailor.com> Date: Thu, 14 Jul 2016 18:58:56 +0200 In-Reply-To: <48781.1467147180 at server1.tristatelogic.com> Hi, So whilst I was stupidly and naively waiting for you, thinking you're preparing me the evidence list for the IPS I tried to run my own investigation with the team on the IPS, seems you just went ahead with another none sense thread. I have tried to be nice, I have tried to help you help us, I wasted enough time on our conversation on daily basis, you tricked me, not the other way around, you proven to me that you're an untrustable person, and for that reason rest assured you will pay the price of this blackmailing, and dirty tactic of yours, that is causing nothing to me and my organization but harm. Please note that if you have nothing else to do than look into some old trash on the internet that makes no sense into your so called investigation that you're using as a coverup to bully people into handing you personal data of clients, which I hardly believe, then I strongly advise you to really just really take your own pathetic tactics elsewhere, because if you will keep posing any threats to me or my organization on more waste of time discussions everywhere, I'll make sure you pay the price quite well, if you think you are going to continue to cause threats, and give false claims/accusations everywhere, trust me this will all go down on you badly, and it will be done in a very legitimate manner. I have shared this all with our investors, and with our friends in various European and American agencies, we received the same response from all of them, that we should take this matter further since you're someone who is causing harm to others on the internet, and in a matter of time you'll hear from our legal team, if you want a battle that you can't fully and financially support, then let it be, you will not continue to humiliate us in public in the same way you're doing, not after I tried to personally help you, the person who will be locked behind bars or pay a huge sum of compensation will be you, take my word for this, people like you can not go around hurting businesses and be left alone. So listen carefully, consider this my final email to you, take it as a gentle warning before you get yourself a big slap back. Let me remind you Mr Ronald... the terrorist here is you, not me, not my organization, you know why? because you decide to attack firms trying to make a living and terrorize them, you are probably paid by larger firms to do so, and if my assumption is wrong, then there is definitely other motives behind what you doing, in all angles I see you as a terrorist, because you can't go around like that to large firms with massive huge abuse records than anyone else on the planet, you choose the weaker to victimize them, the person who's trying to bully, blackmail and cause harm to other providers who has done nothing but try to help you, and fight spam/abuse on a daily basis, you have no right what so ever to tell me or my organization how to do business, we do business in the way we deem right, and you will not in a million years decide how others run their businesses, structure or operations. You thought you can deceive me into handing you data of 200 clients, you pathetic liar, you are no different than those who are running ransom-ware around tricking people into paying money, you did the exact same thing just in a slightly different manner. You even could not provide me with any evidence for the 200 IPS, not even the 3-4 ips, you provided me with 1-2 so you can trick me into handing you 200. And guess what? out of the 200 you handed me only one is really abusive the rest are legitimate users with normal websites, forex trading, seo, forums, travel agencies and not to mention they all had different patterns, different countries, different IPS, different emails, even different payment methods using credit cards that were verified legally as per our terms of use for credit card payments! Some have been with us for weeks, some been with us for months, some even been with us for a year or two, even some IPS were not even inuse by any clients, but do not worry we had that one abusive case worked on already with our close partners that had enough evidence to work with us closely on the matter. I am sorry to fully get to the conclusion that you're either a pathetic deceiver or you're a stupid security analyst following wrong leads, and clues, because so far I have proven you wrong from the start from the routing of the IP ranges to our network to the end of this case, you were wrong all the way, and you know it. So just in a nutshell, if you think you are Mr power, and got your little crappy investigations going on, we have our own investigations internally on a much larger scale and with very well known people that can look after us very well when we're in need of help or assistance, especially from people like you, not from the ransom-ware gangs that you are making up to penetrate into the privacy of our legitimate clients. {...snipped...} Regards, Alexander Freeman +1 (213) 234 - 4292 http://www.hostsailor.com ------- End of Forwarded Message
- Previous message (by thread): [anti-abuse-wg] AS60117 (HostSailor) and "Mayko Evgeniy"
- Next message (by thread): [anti-abuse-wg] Mr. Alexander Freeman
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]