Did this spam spike come from any particular botnet?
AS 3549 GBLX PSBL spam volume left axis, CBL botnet volume right axis
It looks like GBLX is infested with many botnets, but
the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak
on 16 Nov.
Given that the ASN volume spike is from PSBL data and the botnet
volume peak is from CBL data, a day off is plausible, due to different
collection and delivery times.
There’s also a peak for grum (green line near the bottom) on 17 Nov,
and peaks for festi and n/a on 18 Nov,
where n/a is CBL’s marker for spam they detected without having to
look as far as determining which botnet they think sent it.
So the spam spike could be from cutwail.
Or it could be because of a coincidence of several botnet peaks.
Or it could be some other botnet that happened to do a spam campaign
on that day.
Given that the PSBL GBLX peak builds up on 16 Nov, I’d guess it
came mostly from cutwail.
We could try to resolve this question by digging into the specific
addresses the GBLX spam PSBL saw came from
and see if they match addresses CBL assigned to botnets.