Network News

X My Profile
View More Activity

Internet Shuns U.S. Based ISP Amid Fraud, Abuse Allegations

A California based commercial Internet service provider whose clients included a laundry list of spammers and scammers is now offline, after the last of the company's upstream Internet providers decided to the pull the plug.

Atrivo, a.k.a "Intercage," of Northern California, ceased to be reachable from any points on the Internet early Sunday morning when the ISP's sole remaining provider - Pacific Internet Exchange (PIE) - stopped routing traffic for the troubled company.

The final blow comes just weeks after Security Fix joined several researchers in publishing evidence that major portions of Atrivo's network were being used to foist fake security software, Trojan horse programs, and other nastiness. As a result of those reports, several of Atrivo's upstream providers dropped the company as a client.

PIE agreed to provide routing for Atrivo after three other major upstream providers apparently decided it wasn't worthy the negative publicity of being associated with the company. I spoke with PIE president David Grieshaber a week ago Friday, asking him why he chose to take Atrivo on as a client when all other providers were ostracizing the company.

Grieshaber said he and Atrivo's founder Emil Kacperski had been good friends for several years, and that PIE and Atrivo also share the same building in San Francisco. Grieshaber confided that while he thought Kacperski was treated unfairly, he nevertheless decided to lay some ground rules as a precondition of their agreement.

"I told him, you've got to put up a Web site, an official abuse reporting and ticketing system, and some real contact information so that people can get in touch with you and know their complaints are being heard," Grieshaber said.


For all its years of operation, Atrivo's Web site consisted of little more than a blue background adorned with a simple "Web Site Launching Soon" banner. Critics took this as evidence that Kacperksi earned the majority of his customers via shady, underground channels.

In an interview last week, Kacperski said to the extent that there were bad apples hosted on his network, few of them were ever directly reported in e-mailed complaints. Kacperski claims he receives an average of just five complaints about abusive domains hosted on his network each week.

"The truth is that nobody's been reporting this stuff, but it's illegal for me to just sniff around each and every site on my network and say, 'Hey, what are you up to?,'" Kacperski said. "But if there's a complaint, then I can deal with it, I have to deal with it. Instead of complaints, I get people labeling me as some kind of mafia kingpin or crime boss."

On Sunday, PIE abruptly reversed course and pulled the plug on Atrivo, effectively knocking offline all of the sites hosted with Atrivo (including its biggest and most vilified client - Kacperski says PIE's Grieshaber took action due to pressure from his other clients. Grieshaber did not immediately respond to requests for comment.

In the meantime, a lively debate on Atrivo's demise has lit up the the mailing list of ISP operators known as the North American Network Operators Group (NANOG), with Kacperski defending his company's record and vowing to find another upstream provider.

Some have suggested that ISPs and Internet backbone providers should not be allowed to serve as judge, jury and executioner of problematic customers. Dan Goodin of opined that the multilateral actions against Atrivo amounted to "a temporary and highly imperfect stopgap" orchestrated by "ad hoc malware police."

Goodin's stance was echoed by Marcus Sachs, director of the SANS Internet Storm Center.

"There are others out there who need to be cut off but we've got to find a better way to do it than by creating the virtual equivalent of a lynch mob," Sachs wrote in a e-mail to Security Fix.

Until that "better way" gains traction, however, it is all but certain that self-interested network providers will persist in efforts to string up the perceived bad actors, said Paul Ferguson, senior researcher at security firm Trend Micro.

"The community must police itself, and this is a fine example of purging badness," Ferguson said. "Of course, it will pop up elsewhere, but we're watching."

By Brian Krebs  |  September 22, 2008; 1:12 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Pushes New Patches
Next: Fake Facebook 'Add Friends' E-Mail Adds Malware


That 'better way' will never evolve.

The only thing that worked was public outing backed up by research by an undeterring group of people who are sickened by the way people turn the proverbial blind eye\deaf ear.

The Net will never be a perfect place, but were it not for these so called 'ad hoc police' the likes of Atrivo\Estdomains\ would continue to prosper unabated, history has already shown that.

No one will miss those guys. All those so called legit users who were in that boat have just been done a great service, they're just too short sighted to see that.

What sort of business wants to 'live' in an area of the Net so associated with cybercrime? Certainly no one with any actual concern for how their product\services are viewed.

And it's not like there are not tons of other upstream providers who can't give the same service.

But as stated, they'll pop up else where and now we've even got more people watching.

It's just a matter of time before they resurface. No way the criminal mind walks away from that kind of money.

Posted by: TeMerc | September 22, 2008 1:34 PM | Report abuse

Bravo Brian!

We can kick that bastards.

Posted by: Mdkm | September 22, 2008 2:17 PM | Report abuse

My problem with this is that I have all my domains registered at EstDomains... All are offline, unreachable, untransferrable to another registrar:(
I'm losing traffic, clients, money. Everyone knows its not good on the internet for an already running site to be offline.
Its okay and very good to shut down spammers/virus spreaders, but in the costs of shutting down legitimate businesses?? I mean, if govt or internet providers must shut down bad sites, they must NOT do this at the cost of legits. It would be their business to run thru ALL sites, decide which is legitimate and which isn't, and then only shut down the badware.
Imagine what would a big company do if their isp would be shutted down for fraud, and their site would be unaccessible for days, weeks. (and yes,days,weeks, because estdomain whois server is not working, and until its not working you cannot transfer or even access your domain.) I'm sure they'd sue everyone possible for the lost money.

I think it's my bad...when I choose a domain registrar it I was a customer of registerfly, and now estdomains...who to choose?

Posted by: Nandor Orban | September 22, 2008 2:18 PM | Report abuse

Estdomains is already back.

Posted by: Anonymous | September 22, 2008 3:33 PM | Report abuse

If you have all of your domains with a single DNS provider in a single-homed colo... you've not planned well for failure. You'd not have this problem if you'd put your DNS authoritative servers in more than one location.

Oh, you have a Disaster Recovery plan, right? which includes offsite backups or offsite running copies of these sites/domains? If not I suppose they weren't all that important anyway? There's no guarantee that any single provider will survive from day to day, always plan for failure.

Posted by: chuck | September 22, 2008 4:10 PM | Report abuse

chuck: it's not the DNS, not the hosting... Both work correctly, but not the estdomains whois server. if the whois server is offline, it cannot tell the browser which dns servers to use... so the site is fully offline:(
Even if i used 2-3 different dnses it would fail, because of the whois server is inaccessible

Posted by: Nandor Orban | September 22, 2008 4:13 PM | Report abuse

It's too bad when legitimate customers suffer because of the bad actions of others, but that holds true in many aspects of life, not just webhosting or domain name registration. There are plenty of other domain registrars. Before choosing a registrar, one should do their research. Anyone who did a quick Google search on estdomains would have found information about their reputation.

Emil keep saying he didn't receive many abuse complaints, but many people sent compaints as long ago as 2004 and nothing was ever done. So after a while we just gave up and stopped sending complaints.

Posted by: suzi | September 22, 2008 4:15 PM | Report abuse

You are confused, DNS does not use 'whois', when you register a domain you designate some number of authoritative servers ( for instance, with dns servers,, the hostnames for the NS hosts end up in the .com zone.

Whois is never consulted for this, Whois is simply a reporting mechanism, the DNS infrastructure is completely separate from Whois. Do you have a sample domain that is not currently working?

Posted by: chuck | September 22, 2008 4:20 PM | Report abuse

It isn't a judge, jury, executioner or a lynch mob. Both of those metaphors hold repercussions for the business. Nobody went to jail here. Nobody was fined. The ISPs didn’t exact revenge; they simply refused to do business with them. Smart businesses make decisions about who they want to do business with. It is not the fault of the ISPs that Altrivo can't find a provider. The system worked.

Posted by: Peter | September 22, 2008 4:30 PM | Report abuse

Has ICANN taken any action in respect to verifying ownership of Estdomains and evaluating whether owners are in violation of the Registrar Agreement and subject to termination?

Posted by: Anonymous | September 22, 2008 4:37 PM | Report abuse

A company like Atrivo/InterCage puts up a simple, elegant site with easy to use graphics, and critics are all over 'em like a cheap suit! (-;

Posted by: Kfritz | September 22, 2008 5:15 PM | Report abuse

As one of the researchers and authors of the study, I would remind everyone that these were not victimless crimes. Our research was systematic, meticulous, thorough, and went on for months. Statistically, the results were not marginal, they testify to overwhelming malice. Furthermore, we plainly documented a history of abuse complaints being ignored.

With respect the decisions of numerous network operators to cutoff Atrivo, John Bambanek of the Internet Storm Center rightly pointed out on the NANOG mailing list that "ISPs are the **first** line of defense against malware and badware... By peering with them, there is a trust relationship formed... if there is a question that goes right to the heart of that trust, they ought to answer it, otherwise they ought to be de-peered as well."

No amount of gratuitous assertions will alter the fact that ruthless criminality has always been the norm in these networks. As Dancho Danchev noted, "InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the 'the whole is greater than the sum of it's parts', in this case, the parts represent RBN's split network."

Unassuming consumers in the United States, Europe and elsewhere have been terrorized in an undeclared war by the Russian mafia and their affiliated sociopathic thugs for all too long. Despite being warned of potential risk to ourselves, we never hesitated. Concerned citizens, the industry, and law enforcement must also be resolved to take action, the very future of an open Internet hangs in the balance.

Thank you,

James McQuaid

Posted by: James McQuaid | September 22, 2008 7:34 PM | Report abuse

Прищемили хуй российским читерам, и по делом. Скоро совсем за жопу возьмут.

Posted by: friend | September 23, 2008 6:52 AM | Report abuse

I'm one of the (presumably many) legitimate users at Intercage. I bought an existing e-commerce business that was hosted at Intercage and there wasn't a compelling reason for switching. Google searches a year ago turned up 2-3 year old complaints and Emil was always available to help with things that came up.

What bothers me is the lack of consideration for the real people affected by all this. The criminal enterprises are already popping up in new places.. the real users like N Orban and myself are left in the dark with no way to recover our sites. It's fine to blame us for not having backups, etc but how many small business can afford a true disaster recovery program? My site is over 10GB. How exactly do you think I can keep a local copy of that up to date? Over my 155KB/s line?

The Spamhaus people are I'm sure trying to do the right thing, but the whole blacklisting of PIE when they were trying to work with Intercage to get them back online shows an overreaching punishment. They could easily have continued to block the Intercage addresses while monitoring how the new system of complaint resolution was working.

Posted by: David Leach | September 23, 2008 7:11 AM | Report abuse

Until and unless actual miscreants are offline and jailed, it is simply a game of whack-a-mole, and those paid to be trackers and hunters in the conflict have a vested interest in scattering the bad guys to the wind.

We saw back when old-AGIS was essentially spambone that having a large cluster of bad guys in one ASN is a Good Thing. Trivial to squelch by policy, degrade performance, or run traffic through “extra scrutiny”. This light has only sent the roaches skittering to find more legitimate entities for cover.

We have already seen a great deal of command & control vectors migrate to mobile entities. This only means more of the bad guys will be harder to find.

Posted by: JZP | September 23, 2008 8:12 AM | Report abuse

Now that the question of censorship is back on the table (not that is was ever off), again we seek "solution providers".

'Looks like there aren't any...


Posted by: J. Warren | September 23, 2008 8:13 AM | Report abuse

We need to enter the same sort of "ignorance of the law is no excuse" era on the internet that we experience in day to day life. Your equipment allows abuse, you are penalized. Your car free wheels in neutral down a hill and kills a child, you get charged.

Posted by: Eponymous | September 23, 2008 9:45 AM | Report abuse

Well another self-policing entity just like our financial institutions -- we see how they have fared with self-policing!!!!

Posted by: hotezzy | September 23, 2008 11:24 AM | Report abuse

"Прищемили хуй российским читерам, и по делом. Скоро совсем за жопу возьмут."

Rough translation: "The Russian cheats got caught with their pants down. Pretty soon they will be up a creek without a paddle" The exact translation is much cruder.

Posted by: GoogleUser | September 23, 2008 11:36 AM | Report abuse

No other measures are needed. The way you fight crime, greed, and so on is as a community. The site mentioned has allowed untold damage. It has spread spam and virus to unknowing people. It may have even been involved in phishing scams that were in affect looking for useful data IE credit card numbers SS numbers. If an ISP takes no action to insure its network is safe then its their problem when they go down in flames. Nit wits like Sachs and Goodin make their livings from these scumbags so their opinion is meaningless. The fact of the matter is. If you pis in my wheaties I'll pis in yours. Kudos to the one's responsible for the demise of this trashy ISP.

Posted by: askgees | September 23, 2008 11:56 AM | Report abuse

Way to go, Bryan. Updating the words we heard in the Wild West: "You kin add anotha notch to yer mouse pointer, partner!" My analogy is pretty apt. Lots of folks liken the WWW to the WW (Wild West). When the sheriff can't (or won't)function (read ICAAN), then the community will be heard from as it protects itself, and sometimes it ain't pretty.

Posted by: Pete from Arlington | September 23, 2008 12:28 PM | Report abuse

NANOG's lucky to run a meeting without a lot of flaming stupidity, much less the parts of the net they do influence.

I'd rather have my fingernails ripped out than have to deal with that group of freaks for any length of time.

Posted by: Nym | September 23, 2008 3:42 PM | Report abuse

Its loooooooooooooooooooong overdue.

You can't legislate away spam, web crimes, scams, trojans, and the rest.

..But honest business people don't have to enable them, either.

Ethically positive business actions within the law against criminals evading the law through loopholes and a blind eye is EXACTLY how ALL business people are supposed to act.


Posted by: JBE | September 23, 2008 4:33 PM | Report abuse


It would seem that Haliburton, McDonald Douglas, Lockheed, Black water, and a host of other companies missed that memo.

The US was practically founded on the principles of harming others in the name of profit. The Russians have just taken the next step in the same direction.

Posted by: Anonymous | September 24, 2008 8:57 AM | Report abuse

Spamhaus does not just put an ISP on a block list without careful investigation. ARTRIVO was hosting criminal spammers, identity theft gangs, botnet gangs and other criminal elements, that is well documented. Kacperski simply sent complaints to the null file and then lied about not getting them.

A couple of posters alluded to censorship. ISPs are privately owned and have the right to accept or reject any communications they want to. Censorship is the official banning of communication by the government, such as preventing the publication of a book.

ARTRIVO simply made themselves unwanted by their support of on line criminals for profit. It is time more of the rogue ISPs and registrars are blocked. Blocking works and our ISP is very aggressive. We do not get spam here.

Posted by: DLU | September 24, 2008 10:17 PM | Report abuse

Maybe Brian Krebs needs to run an ISP before he prints these kinds of articles. then he will see just what an ISP is up against in the online criminal community.

Posted by: DLU | September 24, 2008 10:20 PM | Report abuse

Those who have chosen to do business with Atrivo/Intercage/Estdomains have chosen poorly. They have failed to conduct proper due diligence, and are now enduring the consequences of that failure.

Given that baseline due diligence is possible with (a) a web browser (b) Google's Usenet archive and (c) a half hour, I have absolutely no sympathy for these lazy whiners. If their domains or hosting or anything were REALLY so terribly important, then perhaps they should have invested a tiny amount of time into ensuring that were not being handled by entities with an abuse history going back the best part of a decade.

(Yeah, that long, and that much. The apologists making excuses for them and/or trumpeting their 11th-hour conversion are either unaware of their lengthy history or have willingly turned a blind eye to it for reasons of their own.)

This is not the first time it's been necessary for the community to excise a cancer -- see "AGIS". It probably won't be the last, because law enforcement is missing, disinterested, unqualifed, incompetent, and far, far, far too slow.

This isn't necessarily a bad thing -- it's clearly preferable for the 'net community to police itself, as it has for decades.

Posted by: Rich Kulawiec | September 25, 2008 9:52 PM | Report abuse

It seems like a lot of the identity theft, viruses and other malware, spyware etc; that attack the users of the internet come out of the old Soviet Union. Crime is a big business there and maybe just the tip of the iceberg. What's the solution? More advanced firewall devices that sit in front of each users connection? Encrypted technology that slides into your USB and masks everything? Virus protection in the internet providers we use software? Looks like a great opportunity to build that better mouse trap.

Posted by: WallyG | September 26, 2008 2:11 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company