Spammer hijacks Tower Group's network

5.45pm - by JUHA SAARINEN

UPDATE - An audacious spammer hijacked a large block of unused IP (internet protocol) addresses assigned to Tower Group in Wellington, and used them to re-route traffic to servers in Florida, United States.

Some 65,000 IP addresses were taken over enabling the spammer to host any type of internet sites on the hijacked network, including illegal ones. By taking over the routes for the network and using forged registration details, the spammer's activities are hidden as they appear to come from a network assigned to Tower Group.

The hijack was discovered by accident on the SPAM-L anti-spam internet mailing list, when a systems administrator reported that his email servers were under a "dictionary attack" from spammers.

Dictionary attacks are commonly used by spammers to test for valid email addresses. The spammer runs a program that cycles through a great number of likely names used in email addresses, and tries them out against mail servers on the Internet.

The systems administrator looked up the assignment information for the block of addresses, and found that it said it had been allocated to Tower Group in Wellington. The information was changed on the 13th of this month, and the hijacker even used the existing registration details to cover his tracks.

A call to Tower Group's network security manager, Alex McGregor, confirmed that Tower Group has been allocated the block of IP addresses in question, but says it is not active on the internet and thus not advertised by the company to the world. The network has only been used internally.

McGregor says "the spammer must have noticed that the unused IP address block didn't have routes advertised", and decided to enter bogus routing information that directs traffic to servers in the US. Advertising routes is internet jargon for telling routers where to send traffic.

Spamming by the hijacker has already caused Tower Group's taken-over network to be entered into Internet blocking lists, which are used by administrators to refuse email and connections from networks seen as abusive. Once in the blocking lists, they can be hard to get out as there are many different lists operating under widely different de-listing policies.

Having been made aware of the hijack McGregor said "we were notified today [Friday] at 9am and we shut the situation down by 12:30pm."

Ed Saul, CIO of Tower Group, said the company has stopped the false route advertisements with the help of US internet providers peer1.com and yipes.com.

Saul stressed that at no point was Tower's physical network at risk, or any of its data. He said that "as the spammer took advantage of a weakness in the internet infrastructure, it could happen to anyone."