Original URL: http://www.theregister.co.uk/2008/09/24/intercage_back_online/

'Malware-friendly' Intercage back among the living

Net provider in deathbed conversion

By Dan Goodin

Posted in Security, 24th September 2008 00:33 GMT

A day after security experts celebrated the death of a network provider accused of hosting a large concentration of the world's cybercrime, California-based Intercage appeared to be among the living again.

IP transit provider UnitedLayer agreed to provide upstream service to Intercage about 36 hours after its last transit provider pulled the plug. UnitedLayer's move, which is sure to prove unpopular in some circles, came after Intercage agreed to completely sever ties with Esthost, the Eastern European web host believed by many to be responsible for the lion's share of abusive traffic carried by Intercage.

The dumping of Esthost, if true, would mark a major turning point for Intercage. Esthost, which according to many researchers hosts a large number of sites engaged in phishing, malware propagation, and other illegal activities, has relied on Intercage since 2004 and is responsible for 25 percent to 50 percent of its revenue, according to Intercage president and owner Emil Kacperski.

"Unfortunately, they were a big client," he said in an interview Tuesday, about 12 hours after pulling the plug on the last Esthost server. "We put a lot of eggs in one basket, which I wish of course I did not do."

In addition to jettisoning Esthost, Intercage also plans to unveil a new system for the public to submit complaints about abusive sites carried on Intercage's IP space. Until now, the San Francisco-based provider has used email to field such reports. Similar to systems used by many other hosts, the new system will provide each user with a ticket number that can be used to track the status on the complaint.

At time of writing, the Intercage website remained offline, and an unknown number of its customers - Kacperski said he had "no idea" how many - were without service. But as this Autonomous System report made clear, UnitedLayer has already thrown the unpopular network provider a life raft. Kacperski says he hopes to be back up and running by Tuesday evening.

It didn't take long for people in the security world to criticize the move by UnitedLayer, and the risk the company faces should things go wrong is considerable. A few days after Pacific Internet Exchange agreed to provide transit service to Intercage, a block of some 1,000 of its IP addresses were added to the Spamhaus block list. PIE quickly reversed course and dumped Intercage.

"We'll be watching them very carefully, I can assure you," said Richard Cox, CIO of Spamhaus, whose real-time blacklist is used to block senders of spam from about 1.5 billion email boxes. "We are obviously prepared if the need is there to take the same approach" as was taken with PIE.

Spamhaus officials plan to speak with their counterparts from UnitedLayer soon to express their concerns about Intercage, Cox added.

For its part, UnitedLayer officials said they thought long and hard about the decision to take on Intercage as a customer, and based on the promises they got, they decided it made sense.

"We have been assured by Emil and Intercage that the customer in question that caused this firestorm has been removed," said UnitedLayer COO Richard Donaldson. "And we have said very unequivocally to Emil that when and if factual evidence is provided to us that puts him in violation of our AUP (acceptable use policy)...then we will terminate them like we would any other client."

Over the past few weeks, the Intercage saga has at times resembled the wild west, where justice is meted out by an informal network of power brokers rather than duly appointed officials. Given the frequent inability of today's law enforcement in overcoming a rat's nest of extra-territorial and technical issues, this form of frontier justice is probably unavoidable. And in any case, the vast majority of the white hats manning the system are honest and have netizens' best interests at heart.

Still, the arrangement has sometimes made us uncomfortable, because it seems fraught with the potential for abuse by copyright holders, repressive governments and others. One concern is that as vocal as white hats are in criticizing Intercage for the abusive packets carried over its networks, we've yet to see any empirical evidence that shows it hosts more phishing sites than, say, The Planet or other web hosts. Our other concern is that few white hats seem to take the time to report abusive sites they find hosted on Intercage.

Donaldson acknowledged that UnitedLayer's move may not be well received by some people but said the company's management was prepared to stand behind its decision.

"What we're not in the business of doing is succumbing to mob rule," Donaldson said. "If Emil has generated a bad karma online, that's one thing, but that's not a reason for us to terminate a client until we have facts otherwise substantiating that there's a case against him."

UnitedLayer's email address for reporting abusive customers is abuse at UnitedLayer dot com, and for the time being, abuse can be reported to Intercage using abuse at Intercage dot com. Operators are standing by. ®