Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:
Right Axis: top 10 Ogee ASN volume (dotted curves)
It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.
New here are these three:
|Feb Rank||(Jan Rank)||ASN||AS Name||AS Description|
|11||(124)||AS 3595||GNAXNET-AS||Global Net Access LLC|
|–||(-)||AS 16578||DATANOC||Lanset America Corporation|
All three of them are U.S. ASNs. The rankings shown above are for the U.S. top 250 ASNs. As you can see, two of them got a lot worse. The third, AS 3595 GNAXNET-AS, didn’t place in the U.S. top 250 for February (but it looks like it will for March!).
Let’s look at each of those three ASNs individually.
AS 3595 GNAXNET-AS plateaued on 2,3,4,5 March 2012:
That’s a pattern similar to those of AS 10439 CARINET and AS 32613 IWEB-AS.
AS 16578 DATANOC hasn’t even peaked yet:
AS 25653 FORTRESSITX has an even worse problem. It did peak on 1 March 2012, but then it started back up again on 9 March 2012:
It hasn’t peaked again yet, and it’s already higher than its first peak.
All three of the new ASNs in the top 10 ASNs for Ogee are ones that have highest spam peaks in March, because we selected the date axis for these graphs to run through from 1 February through 12 March (not just for February). All three of these ASNs have a continuing problem.
Early announcement of the Ogee infection detected through the SpamRankings.net reputational peer database could have helped them realize their problem and deal with it earlier. AS 25653 FORTRESSITX probably still could benefit by warning.