Please see the related
Washington Post story by Brian Krebs.
this related Washington Post story which talks about registrar Dynamic Dolphin.
Apparently, the folks responsible for the
early experimental wireless Internet
research project that Once Upon A Time was known as
San Francisco Bay Packet Radio
(which was apparently a project run out of the
Ames Research Center)
have decided to take their show on
the road, and this time well and truly out-of-town, specifically to the Denver suburb known as
Westminster, Colorado. Or did they? Let's take a quick peek at the
official ARIN WHOIS record for the
126.96.36.199/16 IP address block. Hummm... well now. That certainly is
interesting! Headquarters for SF Bay Packet Radio up and moved
about a thousand miles to the East, for no apparently good reason.
Must have been one of those damn Left Coast earthquakes! Well, maybe not.
Could this apparent anomaly be attributable to
an easily-explained record keeping snafu, or just some
other trivial misunderstanding? Read on and decide for yourself.
The (new?) official contact person for
the 188.8.131.52/16 IP address block, as shown in the aforementioned
Official WHOIS registration record
for that IP address block is apparently one Chad Montgomery, whose e-mail
address is listed in the WHOIS record for the IP block
as firstname.lastname@example.org. The domain
itself was only registered relatively recently, i.e. on
June 18th of last year (2007), and was registered to a Limited Liability
Company calling itself SF Bay Packet Radio, LLC.
Now, you'd think that a company with that name might be incorporated
somewhere in the general vicinity of the San Francisco Bay Area, or
at the very least, someplace in California, but you'd be wrong.
SF Bay Packet Radio, LLC is apparently a Colorado
entity (Westminster, CO, to be precise),
as can be seen by looking at its official
corporate registration record
as provided by the
Colorado Secretary of State's Web Site.
(This Colorado version of SF Bay Packet Radio was also,
apparently, only formed relatively recently, i.e. March 6th, 2007.)
Note that the
184.108.40.206/16 IP address block
itself was originally registered way back on April 12th, 1989, a full 17+
years before the inception of either
Westminster-based SF Bay Packet Radio, LLC.
The plot thickens!
Connecting The Dots
So what really goes on here. Is this a case of
IP address block hijacking, also known as network identity theft? That would call
for some speculation. All I can do here is to report the facts.
Here's what I can tell you...
Are these all just amazing coincidences?
You be the judge.
The mailing address given in the
for the 220.127.116.11/16 IP address block is identical,
right down to the suite number,
to the address that's specified in the
public DMCA Copyright Notice
a fairly high-profile mass e-mail marketing company
located in Westminster, Colorado.
The mailing address given in the
corporate registration record
for the recently minted SF Bay Packet Radio, LLC company is
identical, right down to the suite number,
to the address of
The contact phone number given in the
for the 18.104.22.168/16 IP address block
appears to be
in quite a few places as one which
belongs to either
or to its predecessor company, OptInRealBig, LLC,
or as one belonging to the company's founder/owner,
Several of the sub-blocks contained within
the 22.214.171.124/16 IP address block
are associated with
DNS SOA records that
make reference to one particular domain name that is
Last but not least, a
lady, named Trudy DeBell
as the official registered agent (i.e. person who accepts legal papers)
for the recently formed
SF Bay Packet Radio, LLC company
also appears to be the
Chief Financial Officer of
Why would anybody ever want to steal a pre-existing
already-registered IP address block that belongs (or that belonged,
past tense) to somebody else
anyway? Well, according to my sources, there are two potential
First, if you make off with somebody else's pre-existing IP
address block, then you don't have to go through all of the hassle to
justify (e.g. to
why you really and truly need a whole big batch of fresh new
IP addresses. (That could be difficult to do if you're just a mass e-mailing
company that wants say, 65,536 fresh IP addresses if, for example,
you wanted to use them to help you to sneak past spam filters.)
Second and perhaps more importantly, if you manage to
get control of an IP addresses block that was
grandfathered in by ARIN... i..e one that was allocated
before January, 1997... then unlike newly allocated
IP address blocks you don't have to pay a dime in annual fees
for your shiny new IP address block. You can't get IP addresses
at this low low price these days except by stealing... zero dollars
and zero cents per IP address!
If An IP Address Block Falls In the Forest, And There's Nobody There to Hear It...
Of course, if a mass e-mail marketer
did in fact abscond with an entire /16 IP address block, and
if he/she/it didn't use it for anything, then what would be the
difference, right? That
would be a non-event.
Well, in point of fact, at the present time
(Mon Apr 21 14:34:14 PDT 2008)
it does appears that the 126.96.36.199/16
IP address block
is being used for something as evidenced by all of
these 1,700+ web sites
that are currently being hosted in that block.
Thick As Thieves
ARIN into assigning you your own /16
IP address block (consisting of 65,536 separate IP addresses)
is actually not that hard. It's just a small matter of
social engineering. You tell them that you are the original
owner of the block, and the fine folks at ARIN just believe you, apparently.
The hard part comes when you have to find
some legitimate or at least semi-legitimate company that has it's own
System Number (ASN) and who is willing
and able to announce routes to your shiny new
IP address block.
Fortunately for the recently minted, Colorado-based
SF Bay Packet Radio, LLC, and for its apparent Denver area progenitor,
these two companies together apparently had little trouble finding
this willing participant to help
them solve this part of the problem.
This was a natural fit, given that this
somewhat mysterious San Diego-based (but
company, JKS Media,
had already been supplying other Internet routing to
most of the IP addresses used by
Not that anybody much will care, of course, but it would appear that the
the somewhat mysterious San Diego-based but Nevada-registered
company that's supplying the essential routing for the
188.8.131.52/16 IP address block
never seem to have bothered to
properly register their company with the
California Secretary Of State's Office
as required by law, even though their own web site makes it
altogether clear that they are actually located in San Diego.
So who cares if they messed up a small bit of bureaucratic paperwork?
It's no big deal, right? Wrong!
By not registering their business in its true home state of
California, whoever is behind this mysterious company has almost certainly
completely avoided paying any California state taxes on this business,
as required by law, probably for years. So they are basically getting
a free ride. They enjoy all of the taxpayer-funded benefits of residing
and doing business in California... roads, schools, bridges, the protection
of California courts and Law Enforcement... but they are
freeloading on the backs of other California taxpayers.
A Hole In The Wall... Literally
Evading taxes... if that is indeed what's going on here...
is bad enough, but there's yet another reason why
might not have wanted to file any formal papers with the
State of California. You see, unlike Nevada, the State of
California insists on knowing where businesses in this
state are actually being conducted and also who they are
actually being conducted by. (You can avoid both of these small
annoyances if all you have is a Nevada corporation or LLC. Nevada
is way less nosey than most states when it comes to knowing the
particulars of the businesses that are operating within Nevada.)
As things stand however, this particular business (a) has no
corporate registration... except one in Nevada which, under Nevada law
is allowed to have utterly phony baloney information listed
for its location and its ownership... and also (b) interestingly,
this business, despite the fact that it provides routing for some
major hunks of IP address space, appears to be doing business only
out of a rented mailbox located at
this commercial mail receiving facility in San Diego.
OK, so let's review... We've got a large /16 IP address block with
ownership that is, at best, questionable, and it's being provided
with routing by a somewhat mysterious company,
JKS Media, allegedly
located in San Diego, that may or may not
be evading California State taxes, that apparently has no real or
discernible physical location (except for a four inch by four inch rented
mailbox, that is to say a literal
hole in the wall)
and that (as far as anyone on the outside can tell)
may or may not be owned by Osama Bin Laden. (We can't know for sure who
actually owns or runs this company because the State of Nevada allows
Nevada corporations and LLCs to list only what Nevada
euphemistically calls nominee officers... i.e. what the rest of
us mere mortals usually call ``front men''... in the official
corporate records that must be filed with the state).
I think that about covers everything.
Hummm... well... on second thought, no, it doesn't.
Even if we ignore the fact that
JKS Media, Inc.,
is providing routing both for
Media Breakaway and also for
the suspiciously registered IP address block, 184.108.40.206/16,
there also appears to be a whole lot of other curious and inexplicable
connections between these two supposedly separate business entities,
i.e. JKS Media and Media Breakaway.
Yessiree! There do seem to be a number of very interesting, if not to
say close connections between
Media Breakaway and JKS Media.
In particular, one cannot help but
wonder if Vince Chavez is drawing salary checks from both companies
at the same time.
Why is it that all of the routes to all of the IP address
space currently being routed by (supposedly San Diego based)
JKS Media all appear to pass through (and then dead-end near)
in the metropolitan Denver area, and yet none of them ever seem to go
anywhere near the San Diego area?
Why is it that when you establish an SMTP connection to the primary
(only?) incoming mail server for JKS Media you receive
an SMTP greeting banner
which gives you the domain name of a company called
a company that various public
bankruptcy filings indicate is actually owned by the owner of
(If JKS Media is actually an independent and non-trivial provider of
Internet services, then why isn't JKS Media
willing or able to run its own mail server? It is highly
unusual for any legitimate and actual Internet service provider
to farm out responsibility for its own incoming mail
to one of its own customers.)
Why is it that a search for all companies that are registered in Nevada
and that have
Mark Clements (i.e. the
one and only registered corporate officer of
as one of their corporate officers turns up
a list of
and yet when you look at the corporate registration details associated with
the second of these companies
you see that, paradoxically, the one and only registered corporate officer
is now shown, not as
Mark Clements, but
rather as Scott Richter, owner of
(Yes, the on-line records of the Nevada Secretary of
State's office are obviously more than a little quirky,
but this particular quirk seems
to be revealing of an underlying clear connection.)
Why is it that the
snail-mail address of the mailbox
that is the alleged headquarters of JKS Media is further away from the
business address of
Mark Clements, the company's only registered director,
than it is close to
the downtown San Diego
former law office
of the current President of Media Breakaway,
Why is it that although
has existed (allegedly in
San Diego) since at least 2002, they never sent any representative(s)
to any of the past annual or bi-annual
(even the nearby one in Los Angeles in October, 2005) yet they did
manage to send a representative to the recent (April, 2008)
ARIN XXI Meeting
which was held in Denver?
Why is Vince Chavez, who is
listed as one of the official
technical contacts for JKS Media and who registered
as a representative of JKS Media when he attended the recent
ARIN XXI Meeting
in Denver listed elsewhere (i.e.
both here and
actually being an employee (Chief Technical Officer?) of
Media Breakaway? (Actually, in
the gentleman in question is listed as being both an employee of
Media Breakaway and JKS Media at the same time.)
Last but not least, if JKS Media really is located in
either San Diego or anyplace in Nevada (where it is
registered) then why does
this official record obtained
from the RWHOIS server of Cogent Communications (which provides
connectivity to JKS Media) show the location of JKS Media
as a rented P.O. Box located at
the very closest
UPS Store to the Colorado
headquarters of Media Breakaway
(Not that it really matters much to this overall story, but by sheer
coincidence it appears that the Broomfield, Colorado based
domain name registrar that
uses as the registrar for many of its domains,
Dynamic Dolphin, also
happens to do business out of a rented mailbox at that exact same
UPS Store, just a few doors down.... err... I mean just a few boxes
down from the address given in that
RWHOIS record for
i.e. boxes number 233 and 229, respectively.
Just another coincidence, I'm sure.)
Final Jeopardy Question:
Is there what the legal folks would call a unanimity of interest
Media Breakaway and JKS Media?
You be the judge.
I am only reporting report the facts, not opinions.
(We can set aside for now the separate question of whether or not
that apparently related
domain name registrar,
may or may not also
have a certain unanimity of interest with either
Media Breakaway or JKS Media or both.)
A Hop, Skip, And A Jump
Independent of the various indicators of a possible
unanimity of interest between
Media Breakaway and JKS Media, there is at
least one additional potential connection between the two companies.
It doesn't really prove anything, but I mention it anyway, just in case
someone else might find
this additional clue useful.
As noted above, the current President of
is an attorney...
and a very astute one, I might add... named
Steven Richter. Mr. Richter
used to practice law from his
office in downtown San Diego.
(He is also the father of Scott Richter,
the founder and owner of Media Breakaway, so I guess one could say that
Media Breakaway has become
a kind of family business for them.)
Anyway, when you practice law, you may sometimes need the help of an
outside Litigation Support Specialist. As it happens, there
appears to be a lady
named Lisa Clements in nearby Chula Vista... just south of
San Diego... who appears to be running an
that happens to specialize in this exact sort of thing.
And... umm... oh! I'm sure these are just coincidences too...
Ms. Clements last name just happens to be
the same as that of Mark Clements, i.e. the guy who is the
of JKS Media. Also,
Ms. Clements just happens to have her office at the exact same
Chula Vista residential address
where Mr. Mark Clements, the only director of
has apparently conducted at least one of his
Small world. Then again, maybe
Ms. Clements and Mr. Clements, both of whom seem to
be doing business out of the exact same
are related in some way. Anything's possible.
Going Global, Without Leaving Home
Every time I think that I'm done writing this story, another new
angle crops up.
It now appears that ARIN may not have been the only
Internet Registry to have been duped into assigning
an abandoned IP address block to some insubstantial front for either
Media Breakaway or JKS Media or both.
In fact it looks to me like
the European Regional Internet Registry,
RIPE, may also have handed over
control of a
/18 netblock, i.e. 16,384 separate IP addresses, under equally questionable
quite a hunk of IP address space!
The IP address block in question is the
220.127.116.11/18 IP address block,
which is associated with something
calling itself the ZAO Russian Telecommunications Group
but which, for reasons unknown, appears to exist only in New York,
and which, also for reasons unknown, appears to have an alter ego name of
openaccesscolo.net aka Open Access Colo, Inc.,
an alleged ``corporation''
whose only available contact information
appears to be a mailing address of
1383 6th Ave, New York, New York 10019... which is nothing more
that a UPS Store drop-box... and a contact telephone number of
212-372-7710, which appears to lead to
nothing more than a slightly clever answering machine.
Note that I used the term alleged corporation above. I use that
terminology because, as far as I can tell,
this supposed Open Access Colo corporation doesn't
actually exist... at least not in this county (US).
It is not registered with state-level authorities in
in the State of New York, nor with the authorities of any other state
within these United States as far as I have been able to
determine. In short, it is, apparently, a phantom, a ghost, unreal.
And even more interestingly, the
former company web site
(which was taken down, mysteriously and shortly after the publication
of this story)
for this phantom of a company, Open Access Colo,
gave all appearances of being just a
hacked-up (and almost certainly ripped-off)
copy of an old/prior version (available in
The Wayback Machine) of
this legitimate web site
belonging to an apparently unrelated legitimate
Pennsylvania web hosting company. (So much for copyright laws!)
Also, and by another rather spectacular coincidence, the ethereal
not-quite-company calling itself openaccesscolo.net...
which is apparently trying to make itself look like
a real Internet services company...
also (and remarkably), just like JKS Media,
doesn't seem to even be able to
handle running its own inbound mail server, opting instead to
let the previously mentioned Wholesale Bandwidth
(also owned by the owner of Media Breakaway)
process its incoming mail for it.
(As a general rule, legitimate ISPs do not
tend to farm this kind of stuff out.)
Maybe They're Renovating
OK, so here's where the story starts to get really interesting...
Apparently, the guy who wrote the
O'Reilly Spamkings Book
was kind enough to archive
this dump of
RIPE membership records as they existed circa October, 2005.
If you search down within that listing for the string
ru.org-tp17-ripe you'll see that back then (Oct. 2005) there was an
organization known as the ZAO Tekcom Project
that was directly associated with the Russian domain name
org-tp17-ripe.ru. Stay with me now! Fast forward to
today and look at the
ripe membership list.
Search again for the same string
as before, i.e. ru.org-tp17-ripe, and you'll find that
nowadays it is associated with
ZAO Russian Telecommunications Group (see above)
and that for reasons unknown, RIPE has
annotated this (former?) RIPE member company
as being closed.
OK, so why is any of this at all important? Well, at the very least,
it shows us that the current mystery company
ZAO Russian Telecommunications Group... which is allegedly Russian,
but which actually only seems to exist within the
confines of a rented P.O. Box in New York...
had a different name earlier in its lifetime, and that name was
ZAO Tekcom Project. So it used to have a different name.
Big deal! So who cares... right?
Well, a small bit of Googling turns up the fact that
Tekcom Project, circa 2005,
exactly a stranger to spam.
Tekcom Project and its former IP range of 18.104.22.168/22 were
to have been rather directly connected to major-league
criminal spammer and soon-to-be guest of the United States federal government
Robert Alan Soloway.
From New York, With Love
The important take-away here isn't so much that the notorious
criminal spammer Soloway may be involved
with the current goings on within
the 22.214.171.124/18 IP address block...
he almost certainly isn't, since he is languishing in a jail cell awaiting
final sentencing at the moment...
but rather, that the exact same mystery ``Russian'' folks
who are currently occupying... properly or otherwise...
the 126.96.36.199/18 IP address block are apparently also and simultaneously
doing business with
Media Breakaway and JKS Media.
Specifically, the mystery Russians appear to be leasing to Media Breakaway
substantial hunks of IP address space, all
of which are, conveniently enough, being provided routing by JKS Media,
so that, in effect, the mystery Russians
appears to sit in the food chain somewhere
Media Breakaway and JKS Media.
(Any go-between sitting between
Media Breakaway and JKS Media... let alone a phantom Russian one...
would seem to be unnecessary, since it appears that
Media Breakway and JKS Media share at least one employee in common anyway,
i.e. Vince Chavez.)
There still remains the question of who, if anybody, is the
legitimate and current owner of the 188.8.131.52/18
Apparently, it is a company
(ZAO Russian Telecommunications Group) that even RIPE itself
considers closed. So that begs the question... Who the bleep
have they (RIPE) given control of the 184.108.40.206/18 block to, exactly?
It appears that even RIPE itself may not be too awfully sure about the
answer to this question. It might be
Olga, who RIPE has listed as the
contact person for the
220.127.116.11/18 IP address block, but it looks like
Olga doesn't have any actual office... preferring to do
business out of her New York City P.O. Box...
and it also appears that Olga doesn't like to
answer her phone much... like maybe not at all. If you ever manage to reach
her, or any live human at all at
Olga's New York phone number,
please let me know.
Good luck. (I'd like a Unicorn for my birthday too, if you wouldn't mind.)
Ripe Or Rotten?
So is RIPE as easy to snooker out of
IP address space as ARIN apparently is?
Is there any other plausible explanation for why a
good sized chunk of IP address space
which is supposedly allocated to a Russian company (which itself appears to
do business only
out of a rented P.O. Box in New York City) never gets routed anywhere
near either Russia or New York and instead appears to
dead end somewhere near Denver?
And what ever happened to the alleged
crisis of the world running out of IP addresses?
If phantom companies, operating out of P.O. boxes, and lacking any real
existence whatsoever... except on paper... can get their own /16s
and /18s every day of the week, then it's no wonder the world is
running out of IP addresses.