[anti-abuse-wg] HostSailor, TrendMicro, & Censorship of Internet Security Reporting

Late yesterday, I posted here a list of over 5,000 domain names,
scattered across 205 different IPv4 addresses, all of them on AS60117
(HostSailor), and all of them connected to rather unambiguously to a
"Mayko Evgeniy" who has been identified elsewhere as the registrant of
a number of similar nonsense .TOP domain names which have been used to
distribute the Angler Exploit Kit.  My report also included a number
of links to other evidence which would tend to support the view that
HostSailor is, at thee very least, tolerant of this sort of untoward
and/or outright criminal activity on its network.

In particular, I called attention to the following damning report done
by TrendMicro, which is clearly all about HostSailor:

    Looking Into a Cyber-Attack Facilitator in the Netherlands
    http://bit.ly/1WHyftV

I also noted that it appeared that this detailed online report had been
"scrubbed", AFTER ITS INITIAL PUBLICATION, of any specific or explicit
mention of either HostSailor or its alleged director, Mr. Alexander
Freeman.  Apparently, the report's authors even went to such lengths as
applying white-out to conceal Mr. Freeman's last name from the .PNG image
file, included in the report, which showed/shows (a redacted version of)
Mr.  Freeman's LinkedIn page:

     http://bit.ly/29GkNYn  -- LinkedIn page as redacted by TrendMicro
     http://bit.ly/29GOIeO  -- Mr. Freeman's actual LinkedIn page

In that same posting of mine yesterday, I wondered aloud about what could
possibly have caused TrendMicro to self-censor their own otherwise
brilliant report about this rogue network, after its initial/original
publication, but only in a very limited way... removing _just_ the
incriminating fingerprints from the body, so to speak.  (It appeared/
appears that the only thing(s) that TrendMicro alterered or removed when
they revised/redacted their report was just any and all explicit mentions
of either Mr. Freeman or Host Sailor, Ltd.  Those explict mentions.. of
either the company name or Mr. Freeman's name... were all redacted in
the revised/redacted version of the report.)

In my posting yesterday, I specifically mentioned that this sort of
(otherwise inexplicable) behavior on TrendMicro's part... i.e. the
self-censoring of their own report...  could perhaps be explained by
possibility that the company's lawyers may have received some sort of
threat of legal action.  This seemed like a logical and obvious possibility,
but at the time (yesterday), that was just utterly baseless speculation
on my part.

That has now changed.

In the wake of my posting yesterday, Mr. Freeman sent me, via private
e-mail, the lengthy and virulent screed which is appended below.  This
private e-mail message utterly removes any doubts I might have had that
Mr. Freeman and/or his company might attempt to use bogus legal threats
to deter anyone who dares to simply report the publically accessible
known facts and evidence about his network and/or the criminal activities
of his various customers.

As can be clearly seen in the email below, Mr. Freeman states that
"you'll hear from our legal team" and "the person who will be locked
behind bars or pay a huge sum of compensation will be you".

Of course, Mr. Freeman's legal threats against me aren't absolute proof
that he and/or Hostsailor have been going around issuing legal threats
to others... in particular, TrendMicro... in an effort to intimidate
honest citizens, journalists, and malware researchers into keeping quiet
about the goings on within the HostSailor network.  But Mr. Freeman's
explicit legal threats against me quite certainly _are_, at the very
least, strongly suggestive that Mr. Freeman and/or Hostsailor may have
sent similar threats of legal action also to TrendMicro, and that such
threats may in fact have been the reason why TrendMicro self-censored its
own well-researched report after its initial, original, and uncensored
first publication.

If that is indeed the explanation for TrendMicro's self-censoring of its
own detailed report on HostSailor, then it is deeply troubling.  Essentially
every well-known company that specalizes in providing network security
solutions to business, industry, governments, academia, and individuals
operates its own blog thess days.  Whereas a lot of the information that's
posted to these company-specific blogs is primarily intended to show off
the prowess and technological expertise of the companies in question, these
blogs also provide the results of in-depth investigations and vast amounts
of incredibly useful data, facts, and intelligence to the entire security
community, to the entire Internet community, and, of course, to law enforce-
ment.  If the various companies that run these blogs are going to adopt
a habit of self-censoring in response to every bogus legal threat, no
matter how silly and absurd, and no matter what thin, dodgy, and dubious
"companies" originate them, then we are all going to be much worse off,
in the end, due to the increasing lack of public information about real
security threats and incidents.

Here and elsewhere, I will be calling upon TrendMicro show some semblance
of a backbone, and for them to RESTORE to the web the ORIGINAL version of
their very detailed report about the various kind of criminality that
they connected to the Hostsailor network.  My calls for them to do this
may certainly go unanswered, but I believe that it is worth the effort
anyway.

Additionally, I ask *all* companies in the security space, but particularly
those in the U.S., which enjoy the freedom and protection of the First
Amendment, to fiercely resist the temptation to quietly bow down and knuckle
under in the face of all baseless legal threats, but, in particular, those
that arrive from corporate entities whose only legal existance... if they
exist at all... is limited to dodgy jurisdictions, including but not limited
to:  Russia, Luxembourg, Belize, Panama, and pretty much every country in
the Middle East.  (Oh yea... and also the British Virgin Islands, the
Maldives, the Seychelles Islands, and Labuan.)

Here in the U.S., we have this little thing called the First Amendment.
For more than 200 years, men have fought and died to protect it, not just
for me, not just for average Joe Citizen of the U.S.A., but also for the
likes of TrendMicro.  In this case, TrendMicro's apparent ill-considered
self-censorship represents a disrespect for the memory, legacy, and sacrafice
of all of those valiant lives, and I hope that, in the end, the company will
think better of it, do the Right Thing, and stand up to these bullies.

They should do that, if not for the sake of the First Amendment, then for
their own sakes.  The sight of a $5 billion dollar company being cowed by
hollow legal threat from some pipsqueak of a company that's hiding out in
a tax-haven country is really pretty revolting, and by rights ought to be
publically humiliating for TrendMicro.  And under the circumtances, I don't
think that it is at all improper to ask the question:  Is TrendMicro also and
likewise adjusting the parameters of the filtering and/or security products
it sells, based upon bogus legal threats from other crimeware supporting
pipsqueaks?  One hopes not, but...

For my own part, let me just say: I stand by my report of yesterday.


Regards,
rfg


P.S.  In the very slim, unlikely, and implausible event that Mr. Freeman
and/or "Host Sailor, Ltd." turn out to be real things AND that they do
in fact elect to proceed to legal action, I just want to say how very much
I look forward to both (a) witnessing Mr. Freeman's deposition and (b)
reading all of his business records, in particular those pertaining to
his various criminal and/or otherwise dodgy customers.  (I would quite
certainly request all of those, during discovery, of course, with an
appropriate set of subpoena duces tecum.) It should all prove very
enlightening.


------- Forwarded Message

From: Alexander Freeman <ripe at hostsailor.com>
Subject: Re: [rfg295165] Another crimeware IP on your network - 185.106.122.106
Reply-To: ripe at hostsailor.com
References: <48781.1467147180 at server1.tristatelogic.com>
To: "Ronald F. Guilmette" <rfg at tristatelogic.com>
Organization: Host Sailor Ltd.
Message-ID: <783dc7a7-890e-34e3-57ae-cfa6e2a77aa3 at hostsailor.com>
Date: Thu, 14 Jul 2016 18:58:56 +0200
In-Reply-To: <48781.1467147180 at server1.tristatelogic.com>

Hi,

So whilst I was stupidly and naively waiting for you, thinking you're
preparing me the evidence list for the IPS I tried to run my own
investigation with the team on the IPS, seems you just went ahead with
another none sense thread. I have tried to be nice, I have tried to help
you help us, I wasted enough time on our conversation on daily basis,
you tricked me, not the other way around, you proven to me that you're
an untrustable person, and for that reason rest assured you will pay the
price of this blackmailing, and dirty tactic of yours, that is causing
nothing to me and my organization but harm.

Please note that if you have nothing else to do than look into some old
trash on the internet that makes no sense into your so called
investigation that you're using as a coverup to bully people into
handing you personal data of clients, which I hardly believe, then I
strongly advise you to really just really take your own pathetic tactics
elsewhere, because if you will keep posing any threats to me or my
organization on more waste of time discussions everywhere, I'll make
sure you pay the price quite well, if you think you are going to
continue to cause threats, and give false claims/accusations everywhere,
trust me this will all go down on you badly, and it will be done in a
very legitimate manner.

I have shared this all with our investors, and with our friends in various
European and American agencies, we received the same response from all
of them, that we should take this matter further since you're someone
who is causing harm to others on the internet, and in a matter of time
you'll hear from our legal team, if you want a battle that you can't
fully and financially support, then let it be, you will not continue to
humiliate us in public in the same way you're doing, not after I tried
to personally help you, the person who will be locked behind bars or pay
a huge sum of compensation will be you, take my word for this, people
like you can not go around hurting businesses and be left alone.

So listen carefully, consider this my final email to you, take it as a
gentle warning before you get yourself a big slap back. Let me remind
you Mr Ronald... the terrorist here is you, not me, not my organization,
you know why? because you decide to attack firms trying to make a
living and terrorize them, you are probably paid by larger firms to do
so, and if my
assumption is wrong, then there is definitely other motives behind what
you doing, in all angles I see you as a terrorist, because you can't go
around like that to large firms with massive huge abuse records than
anyone else on the planet, you choose the weaker to victimize them, the
person who's trying to bully, blackmail and cause harm to other
providers who has done nothing but try to help you, and fight spam/abuse
on a daily basis, you have no right what so ever to tell me or my
organization how to do business, we do business in the way we deem
right, and you will not in a million years decide how others run their
businesses, structure or operations.

You thought you can deceive me into handing you data of 200 clients, you
pathetic liar, you are no different than those who are running
ransom-ware around tricking people into paying money, you did the exact
same thing just in a slightly different manner. You even could not
provide me with any evidence for the 200 IPS, not even the 3-4 ips, you
provided me with 1-2
so you can trick me into handing you 200. And guess what? out of the 200
you handed me only one is really abusive the rest are legitimate users
with normal websites, forex trading, seo, forums, travel agencies and not to
mention
they all had different patterns, different countries, different IPS,
different emails, even different payment methods using credit cards that
were verified legally as per our terms of use for credit card payments!
Some have been with us
for weeks, some been with us for months, some even been with us for a
year or two, even some IPS were not even inuse by any clients, but do
not worry we had that one abusive case worked on already with our close
partners that had enough evidence to work with us closely on the matter.
I am sorry to fully get to the conclusion that you're either a pathetic
deceiver or you're a stupid security analyst following wrong leads, and
clues, because so far I have proven you wrong from the start from the
routing of the IP ranges to our network to the end of this case, you
were wrong all the way, and you know it.

So just in a nutshell, if you think you are Mr power, and got your
little crappy investigations going on, we have our own investigations
internally on a much larger scale and with very well known people that
can look after us very well when we're in need of help or assistance,
especially from people like you, not from the ransom-ware gangs that you
are making up to penetrate into the privacy of our legitimate clients.

{...snipped...}

Regards,

Alexander Freeman
+1 (213) 234 - 4292
http://www.hostsailor.com



------- End of Forwarded Message