Chapter 3: Spam Book Author Implicated in Second IP Block Controversy

Iron Pyrite

June 17, 2008 - A former Air Force Captain, former instructor at the United States Air Force Academy and the author of a book detailing technical strategies for combating e-mail spam created two companies in 2005 and 2007 which subsequently obtained control of two large "legacy" IP address blocks (so-called "Class B" or "/16" IP address blocks) from the American Registry for Internet Numbers (ARIN) via means that remain murky, if not to say downright suspicious. Both blocks have since been found to be in active use by commercial mass e-mailers.

As shown in this document obtained from the Colorado Secretary of State's web site, on February 23, 2005 Geoff Mulligan (biography) of Colorado Springs, Colorado, a former Air Force Captain and author of the book Removing The Spam, created a new Colorado Limited Liability Company (LLC) called Gold Hill Computers, LLC. Later, Mr. Mulligan's new Colorado LLC gained official ARIN-sanctioned control over the 128.168.0.0/16 IP address block. Prior to the creation of Colorado-based Gold Hill Computers, LLC, the 128.168.0.0/16 IP address block had been assigned to company known as Gold Hill Computers, Inc. of Cambridge, Massachusetts.

Gold Hill Computers, Inc. of Cambridge, Massachusetts is a small software company that has existed since the mid 1980's. It specializes in selling Lisp interpreters, as it has done since its inception over two decades ago. As documented in the stone tablets of the Internet, the so-called Internet RFCs, specifically RFC 990, RFC 997, RFC 1020, and RFC 1166, the 128.168.0.0/16 IP address was originally allocated to some entity named GoldHill that existed at the time these RFCs were originally issued, i.e. November 1986, March 1987, November 1987, and July 1990, respectively. The first three of those RFCs show GoldHill's official contact person as one Gaylord Miyata.

So how do we know that the particular GoldHill that was allocated the 128.168.0.0/16 block way back on October 2nd of 1986 is the same as the company that today resides in Cambridge, Massachusetts, that still calls itself Gold Hill Computers, Inc. and that still sells implementations of the Lisp Programming Language? It's possible, even if highly unlikely, that a different company also named Gold Hill Computers might have been the original registrant of the 128.168.0.0/16 IP address block.

A quick check of the Massachusetts Secretary of State's web site turns up this corporate registration document which clearly shows Gold Hill Computers, Inc. as a Massachusetts-based company, and one that was originally registered with the Commonwealth of Massachusetts on July 19th, 1982. So this Massachusetts-based Gold Hill Computers, Inc. has certainly been around long enough to qualify, based on age, as the specific GoldHill to which the 128.168.0.0/16 block was initially allocated way back in October, 1986. More importantly however this historical account of the early development of TCP/IP protocol software on early IBM PCs specifically mentions both Gaylord Miyata, whose name, you will remember, appears in RFC 990, RFC 997, and RFC 1020 in conjunction with the 128.168.0.0/16 IP address block allocation, and also Mr. Miyata's affiliation with "...Gold Hill, whose product was a LISP implementation that ran in protected mode on a 286". Lastly, there is also this historical document, obtained from the Massachusetts Institute of Technology's web site, that clearly shows the 128.168.0.0/16 IP address block allocated to an entity located in Cambridge, Massachusetts.

Fast forward now a few years past the initial 1986 allocation of the 128.168.0.0/16 IP address block, specifically to the 1989-1990 time frame. Gold Hill Computers, the Cambridge Massachusetts software company, hit with slowing sales and the associated economic hardship, is forced to lay off the majority of its former staff. The company changes locations (still within the greater Boston area) and somewhere along the way, records of the company's rights to use the 128.168.0.0/16 IP address block are mislaid or accidentally discarded. Due to the company's fading business prospects, it isn't using its 128.168.0.0/16 IP address block, and the block isn't even routed anywhere. Memories of the company's rights to the 128.168.0.0/16 block fade within the company.

Fast forward again, another fifteen years, to 2005. The 128.168.0.0/16 block looks to be basically abandoned. It's not being routed, and unless you're an amateur Internet sleuth, you'd be hard-pressed to find the original registrant of this block. In short, the block itself looks ripe for the picking, at least if you are unscrupulous and willing to engage in a bit of IP address block hijacking (aka network identity theft) on other people's unused and intangible (but nonetheless valuable) assets. The 128.168.0.0/16 block is cost-free, i.e. you won't have to pay ARIN any annual rent for using it, and you won't even have to justify your continuing use of the block to ARIN because it is a so-called "legacy" block, allocated before ARIN even existed, which is thus exempt from the ordinary justification requirements that apply to all post-ARIN allocated blocks.

As shown in this document, obtained from the Colorado Secretary of State's web site, on February 23rd, 2005, a new Limited Liability Company (LLC) was formed in the state of Colorado. The name of the new company, which subsequently came to exercise dominion over the 128.168.0.0/16 IP address block, was remarkably convenient... Gold Hill Computers, LLC. With a name like that, there was no need to make any change to the name of the "registrant" of the 128.168.0.0/16 block when the block was acquired, somehow, by the new company.

Although Gold Hill Computers, LLC, headquartered in Colorado Springs, Colorado, currently has control over more than 65,000 separate IP addresses... a fairly substantial piece of Internet real estate... the company doesn't even seem to have its own web site at the present time, or even so much as its own e-mail address. The one and only IP address block that public ARIN records say is currently under control of this company is the 128.168.0.0/16 IP address block, i.e. the very same block that all of the documents cited above indicate was actually and originally allocated to the much older company known as Gold Hill Computers, Inc. of Cambridge, Massachusetts.

So what happened here? How did control over an entire block of more that 65,000 IP addresses... a valuable asset to anyone doing business on the Internet... end up being transferred out of the hands of Gold Hill Computers, Inc. of Cambridge, Massachusetts and into the hands of the recently-formed and interestingly-named Gold Hill Computers, LLC of Colorado Springs, Colorado?

A Tale of Two IP Blocks

I have spent more than a little time over the past several weeks looking into that very interesting question. I was motivated to do so primarily by my realization that the creator and current owner of the Colorado-based Gold Hill Computers, LLC was one Geoff Mulligan... the same Mr. Geoff Mulligan (
photo) who, not long ago (March 2007), created and then rapidly... within 11 months... sold off another Colorado LLC, together with its asset(s)... which, by a rather amazing coincidence, apparently included yet another valuable "legacy" /16 IP address block.

The name of the other Colorado LLC that Mr. Mulligan created in March of 2007, and then rapidly sold was SF Bay Packet Radio, LLC and its major asset... perhaps its only truly meaningful asset... was its control over the 134.17.0.0/16 IP address block. As diligent readers of this web site already know (because it was first revealed here more than seven weeks ago), the 134.17.0.0/16 IP address block, formerly allocated to NASA, an agency of the United States government, somehow ended up in the hands of one of the most notorious mass e-mailing companies in the U.S., and did so via means that remain more than a little mysterious. That questionable transfer of a valuable, although intangible U.S. government asset, like the transfer of the 128.168.0.0/16 block before it, also involved a large block of IP addresses passing to or through one of Mr. Mulligan's multiplicity of Colorado business entities.

To find out exactly how the 128.168.0.0/16 IP address block somehow made its way from Gold Hill Computers, Inc. of Massachusetts to Gold Hill Computers, LLC of Colorado I telephoned the Cambridge-based Gold Hill Computers, Inc. at the number given on its web site. I spoke at length, and on several occasions, to a gentleman who identified himself as Vince McGugan. (Mr. McGugan's business card, with his official company title, is shown on the company's web site.) Mr. McGugan identified himself as the current owner of the company, although his official title would seem to be "Chairman".

Mr. McGugan also confirmed for me that his company, Gold Hill Computers, Inc., has indeed been selling Lisp implementations since the 1980's. Separately, and in repeated questioning, Mr. McGugan assured me in no uncertain terms that his company had neither any knowledge of nor any business with Gold Hill Computers, LLC of Colorado Springs, and also, that his company has never made any agreements, or entered into any contracts to sell, lease, or rent any of his company's IP address space to any other party. (When I first made contact with him, Mr. McGugan stated that he was aware that the company had rights to some IP address block, but he had no clear idea what had happened to that IP address block over the years. As a result of my phone conversations with him however, Mr. McGugan does now have an understanding of what what happened to his company's IP address block.)

In my telephone conversations with him, I informed Mr. McGugan of the existence of the Colorado Springs based Gold Hill Computers, LLC, and its apparent current control of the 128.168.0.0/16 IP address block... a block which at least four different historical Internet RFCs suggest should rightfully be under the control of Mr. McGugan's company. Mr. McGugan repeatedly expressed sincere gratitude that I had called and alerted him to this situation.

Prior to my multiple phone conversations with Mr. McGugan, I had already telephoned and spoken at length with Geoff Mulligan at his Colorado Springs residence in reference to his creation, in March 2007, of the curiously named Colorado SF Bay Packet Radio, LLC and in reference to how its "asset", the 134.17.0.0/16 IP address block, ended up in the hands of the notorious Colorado-based mass e-mailing company Media Breakaway, LLC. In that earlier phone conversation, Mr. Mulligan had confirmed for me that, just as the publicly-available Colorado state records indicate, Mr. Mulligan was... and currently is... in fact the owner and creator of Gold Hill Computers, LLC and also, as indicated in publicly-available ARIN records, that Gold Hill Computers, LLC was... and currently is... in fact exercising control over the 128.168.0.0/16 IP address block. (Note however that Gold Hill Computers, LLC is currently allowing another company, Colorado-based Optimum Network Services, LLC (aka Data102) to use the 128.168.0.0/16 block... a fact we'll return to shortly.)

So who cares if some aggressive Internet entrepreneur out in Colorado may have developed some creative new strategies for obtaining multiple large blocks of valuable apparently abandoned legacy IP address space? Well, if you receive e-mail via the Internet, and if you've ever received unsolicited junk e-mail, then you might.

As noted above, the 134.17.0.0/16 IP address block, which formerly belonged to NASA, somehow fell under the control of Mr. Mulligan's recently formed Colorado-based SF Bay Packet Radio, LLC. Shortly thereafter, that same IP block was sold, along with SF Bay Packet Radio, LLC's other assets, if any, to some undisclosed chain of persons and/or business entities with the end result being that within only 11 months the 134.17.0.0/16 IP address block wound up as the virtual property of the mass e-mailers at Media Breakaway, LLC. How this all happened has yet to be adequately explained, and the specific NASA official to whom the 134.17.0.0/16 IP address block had been originally assigned, way back in 1989... a gentleman named Milo Medin... has denied knowledge of any transfer of this block to any other entity, whether it be governmental, public, private, or otherwise. (See below.)

Separately, with respect to the 128.168.0.0/16 block, which Mr. Mulligan's 2005-vintage Colorado-based Gold Hill Computers, LLC somehow acquired, publicly available evidence suggests that this IP block may also be in use by commercial mass e-mailers. As indicated in this public Spamhaus.Org record, and also this one, and also this one, the Spamhaus.Org public anti-spam blocking service believes (or has believed, in the very recent past) that the 128.168.0.0/16 block is being actively used to send out mass unsolicited commercial e-mails.

While researching this story, I've had phone conversations with many people, trying to get to the bottom of what actually happened here, and how two separate /16 IP address blocks... one originally registered to a private Massachusetts company and another originally registered to NASA... ended up in the hands of two of Mr. Mulligan's curiously named businesses.

As noted above, I talked by phone with Mr. Mulligan himself... once initially, when I was researching the rather inexplicable transfer of NASA's SF Bay Packet Radio block (134.17.0.0/16) to one of Mr. Mulligan's like-named companies, and then again, recently, while researching the equally inexplicable transfer of the Gold Hill Computers IP address block (128.168.0.0/16) to another one of Mr. Mulligan's conveniently-named companies. In the latter conversation, I arranged for Vince McGugan. CEO if the Massachusetts-based Gold Hill Computers, to actually be on the line so that he and I and Mr. Mulligan could have a three way discussion about how Mr. Mulligan had come to possess the Gold Hill IP address block. During this second phone conversation, Mr. Mulligan made a number of specific assertions about how his companies had come to control both the NASA block and the Gold Hill block... assertions which have proven rather remarkably difficult to substantiate.

First, with respect to the NASA block, Geoff Mulligan asserted that he had known, and had been friends with Milo Medin, the former NASA official to whom the 134.17.0.0/16 block has been initially allocated, "for twenty years". Mr. Mulligan further asserted that Milo Medin had in fact given him (Mulligan) the 134.17.0.0/16 block. Why Mr. Medin would do such a thing, or how any such give-away of a U.S. government asset to a private individual could be either proper or legitimate was not a point on which Mr. Mulligan elected to elaborate.

Second, with respect to the Gold Hill IP address block (128.168.0.0/16), Mr. Mulligan claimed that he had been explicitly granted control over that block by some member of the staff of Gold Hill Computers, Inc. at some time during 1994 or 1995. When pressed however, Mr. Mulligan could neither remember the name of the alleged staff member, nor could he produce any documentation to substantiate this claim.

Since the date of that last phone conversation with Mr. Mulligan, I have earnestly and diligently attempted to verify Mr. Mulligan's two stories about his acquisition of the two IP blocks in question, but I have been unable to do so.

With respect to NASA's 1134.17.0.0/16 block, I had a second follow-up phone conversation with Mr. Milo Medin...who is nowadays one of the principals of M2Z Networks. During that call, I asked Mr. Medin pointedly, specifically, and directly about Geoff Mulligan's claim that Mr. Medin had given him (Mulligan) the 134.17.0.0/16 block. Mr. Medin's response was unambiguous... "I have no recollection of that." (That assertion on Mr. Medin's part was consistent with the essence of my earlier phone conversation with him about NASA's 134.17.0.0/16 block, during which Mr. Medin referred me not to Mr. Mulligan, but rather to Ms. Grace De Leon, a network manager at NASA Ames Research Center for further information about possible transfers of the block in question.) Mr. Medin did admit to knowing Mr. Mulligan for quite a number of years, but noted also that he had not spoken to Mr. Mulligan "...for the past six or seven years."

With respect to the Gold Hill Computers IP address block (128.168.0.0/16), Mr. McGugan, CEO of the Massachusetts-based Gold Hill Computers, Inc. since 1990, has indicated to me, repeatedly and in writing, that since 1990, he would have been the only person in his company with the authority to transfer control of his company's IP address block to any other party, and also, that he has never done so. Thus, even if Mr. Mulligan's account of how he came to have control over the 128.168.0.0/16 address block is true (i.e. that some unspecified employee of Gold Hill Computers, Inc., other than Mr. McGugan, granted Mr. Mulligan control over the Gold Hill block) that IP block reassignment was both invalid and unauthorized, given that it was neither approved nor even known about by the company's management, specifically Mr. McGugan, who has been the company's CEO since 1990, well before the alleged transfer of the Gold Hill block to Mr. Mulligan (allegedly in the 1994/1995 time frame) took place.

Despite my best efforts to research and investigate the transfers of the NASA and Gold Hill IP address blocks to Mr. Mulligan and/or his various Colorado LLC's, I have been unable to find any substantiating evidence that either of these transfers were actually authorized by the rightful and legitimate owners of the blocks in question, i.e. NASA on the one hand, and Massachusetts-based Gold Hill Computers, Inc. on the other. Nor has Mr. Mulligan presented me with any hard (i.e. written) evidence relating to these transfers despite my repeated invitations for him to do so. On the other hand, statements made by the two most relevant witnesses, Mr. McGugan (for Gold Hill) and Mr. Medin (for NASA), in my various phone conversations with each of them, while perhaps not outright refuting Mr. Mulligan's accounts of how he acquired the two IP blocks in question, certainly fail to support Mr. Mulligan's recollections of these IP block transfers and/or the legitimacy thereof.

Whether Mr. Mulligan or his various Colorado LLC's obtained control of the 134.17.0.0/16 and 128.168.0.0/16 IP address blocks legitimately or otherwise may perhaps be a question that can never be fully or completely answered. Nonetheless, Mr. Mulligan's choices for the names of his various LLC's, specifically SF Bay Packet Radio and Gold Hill Computers... both remarkably similar to the names of entities to which sizable abandoned legacy IP address blocks had previously been allocated... are more than enough, I think, to raise some serious questions about Mr. Mulligan's business modus operandi. That both of these two IP address blocks were subsequently found to be in use by mass e-mailers is yet another remarkable coincidence that only Mr. Mulligan himself is in a position to fully explain. (Mr. Mulligan declined my invitation to identity the party or parties to whom he had sold his SF Bay Packet Radio company, together with its asset(s), citing privacy concerns.)

Who's Minding The Store?

This story has been primarily about Mr. Geoff Mulligan and the so-called "legacy" IP blocks that his various Colorado LLC's have come to possess. But it wouldn't be complete unless I also mentioned the disappointingly high levels of apathy, with respect to these IP address blocks and their questionable transfers, that I encountered during my investigation for this report. The disappointing apathy I encountered was evident both within ARIN and also within NASA. Neither organization seemed to be particularly interested in seriously investigating the questions of exactly how these large legacy IP address blocks had made their way into in the hands of mass e-mailers.

With respect to NASA, one would hope that this agency of the U.S. government might actually want to get their /16 IP address block back, or at the very least to make some serious effort to determine how it had slipped out of their control. (With the pool of free IPv4 addresses slowly but surely dwindling down to zero, an entire /16 block is more valuable now than ever, and NASA could certainly put this IP address block to some good use... or at least to some better use than it is currently being put to.)

Although former NASA network manager Milo Medin and current NASA Ames network manager Ms. Grace De Leon were both quite helpful as I researched this story, and although both of them expressed a sincere desire that any NASA property which might have gone astray would, in the end, be returned to NASA, that was where the cooperation and enthusiasm for knowing the truth about the 134.17.0.0/16 block ended. Other current NASA employees and contractors were rather entirely unhelpful as I tried to find out what really happened here.

During my investigation, I also spoke multiple times with Ralph F. Bischof, Jr., a contract network administrator at NASA's Marshall Space Flight Center, where all administration of NASA's far-flung networks is now centered. Mr. Bischof is currently the primary and highest-level administrator of NASA's DNS... at least "on the contractor side", as he informed me. (Apparently, there is a separate set of people who are regular NASA employees who also have a hand in managing NASA's DNS.) Mr. Bischof was asked by Sean Zadig, an official within NASA's Office of the Inspector General (OIG) to look into the status of the 134.17/0/0/16 block. In response to this request he apparently consulted only the meager documentation that he had on hand which, as far as I can make out, only covered IP address blocks that NASA was in fact currently and actively using. Needless to say, this did not include the 134.17.0.0/16 block, which as readers of Chapter 2 already know, is currently in active use by the mass e-mailers at Media Breakaway, LLC. The first time that I talked to Mr. Bischof on the phone he indicated to me that he wasn't even aware of RFC 1166, or of the information contained therein that says fairly clearly that the 134.17.0.0/16 block had in fact been a NASA asset in the early 1990's... just as former NASA network administrator Milo Medin had already confirmed for me. Under the circumstances, I asked Mr. Bischof to look over RFC 1166, and he agreed to do so. Recently, I made a follow-up call to Mr. Bischof during which he acknowledged that he'd looked at RFC 1166, but he discounted it's contents as "outdated". In my most recent telephone conversation with Mr. Bischof, he declined all further comment, referring me instead to NASA's office of Public Affairs... which he did, "at the request of my client" (i.e. NASA).

I also spoke on multiple occasions to Mr. Sean Zadig of NASA's Office of the Inspector General. This is the organization within NASA which is tasked with investigating waste, fraud and abuse within NASA. Although Mr. Zadig initially expressed earnest enthusiasm for investigating the rather mysterious circumstances by which a NASA IP address block (and arguably also a U.S. government asset) made its way into the hands of a private-sector Colorado mass e-mailing company (Media Breakaway, LLC), in subsequent calls Mr. Zadig informed me that his superiors had instructed him that recovery of this particular NASA asset was of sufficiently low priority within the OIG's office that he should simply not investigate this matter. (If a brick of gold had gone missing on some NASA project, then one would hope that the NASA OIG's office would take an interest, but mere IP addresses don't appear to be sufficiently valuable for NASA's Office of the Inspector General to waste time on. Nevermind that an entire /16 IPv4 address block is easily worth as much as several bricks of gold at the present time.)

In summary, NASA's current official position appears to be that they just simply aren't particularly interested in finding out whether an entire /16 IP address block was or was not purloined from NASA's inventory. Whether NASA management should take an interest in the possible misappropriation of such an asset is a question that legislators and taxpayers may wish to ponder.

With respect to the entity that is specifically chartered to keep order in and among the various allocations of IP address space within North America, i.e. ARIN, I can only report that for this organization also, the possible misappropriation of large legacy IP address blocks does not appear to be something that they have any significant interest in looking into.

More than seven weeks ago, I had a phone conversation with both Nate Davis, Director of Operations of ARIN, and also Steve Ryan, in-house legal counsel for ARIN. Our conversation was all about the 134.17.0.0/16 block, the SF Bay Packet Radio block that my earlier story had raised questions about. At that time, I was assured that "Within two to four weeks, this matter will be resolved in a way that will satisfy the community." That was the official line of ARIN at that time. Now, more than seven weeks after I received those assurances from ARIN management, nothing whatsoever has changed with respect to the ARIN-published official WHOIS record for the 134.17.0.0/16 block. Thus, at present, this block, which was originally allocated to NASA, is still under the control of the notorious mass e-mailing company Media Breakaway, LLC. Furthermore, to the best of my knowledge, since the story about the SF Bay Packet Radio IP address block first appeared on this web site, more than seven weeks ago, there has been no public comment whatsoever from any ARIN official regarding the status or rightful allocation of the block in question. I and readers of this web site have been left to wonder which "community" this utter silence on ARIN's part is intended to "satisfy".

(Seven weeks ago, during my phone conversation with ARIN officials relating to the SF Bay Packet Radio IP address block, I requested from ARIN a copy of their archived WHOIS record for the 134.17.0.0/16 IP address block, as it existed on any date prior to the formation of Mr. Mulligan's SF Bay Packet Radio, LLC. ARIN declined my request on the basis of their lack of a "policy" under which such archival and formerly publicly available WHOIS data could be provided by ARIN to members of the media or other interested parties.)

It is perhaps not surprising that ARIN might find it easy... and perhaps even expedient... to ignore questions about a dubious transfer of a large "legacy" North American IP address block within their region of responsibility in a case where the original... and arguably rightful... registrant of the block (NASA) didn't know and, apparently, didn't even care that the block had been taken over by mass e-mailers. Squeaky wheels get the grease, and NASA isn't squeaking at all about the 134.17.0.0/16 (SF Bay Packet Radio) block. What readers of this web site may find more interesting now, going forward, is whether or not ARIN will likewise elect to ignore the questions raised here regarding the 128.168.0.0/16 (Gold Hill Computers) block. In this case, unlike the case of the SF Bay Packet Radio block, There actually is someone (i.e. Mr. Vince McGugan, CEO of the original Gold Hill Computers) who seems ready, willing, and able to stand up and assert in no uncertain terms that the /16 block in question is an asset of his company, as opposed to being an asset of one of Mr. Mulligan's companies.

Regardless of the future action or inaction of ARIN with respect to either of the two potentially misappropriated IP address blocks discussed in this story, this web site will continue to report, not only on these stories, but also on other sizable IP address blocks within both ARIN and RIPE space that available evidence suggests may have been purloined by mass e-mailers. More such blocks are quite definitely out there, some of which are already known to me, and the public has a right to know about these, even if the entities, organizations, and officials who should be keeping an eye on such things would prefer, for their own reasons, to simply sweep these matters under the proverbial rug. My meager efforts in this regard will definitely prove to be of only limited effect and value however if... as now seems to be the case... we are entering an era where information in the official ARIN and RIPE WHOIS data bases... covering the majority of the IP addresses in use worldwide... is as unreliable and untrustworthy as the WHOIS records that are created and published by various well known and notorious Chinese Domain Name Registrars whose primary business, it seems, is to aid and abet criminals in their efforts to conceal their identities on the Internet.

Nate Davis, Director of Operations of ARIN, did not return phone calls seeking comment on this story.