What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:

Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three:

Feb Rank(Jan Rank)ASNAS NameAS Description
11(124)AS 3595GNAXNET-ASGlobal Net Access LLC
(-)AS 16578DATANOCLanset America Corporation
18(-)AS 25653FORTRESSITXFortressITX

All three of them are U.S. ASNs. The rankings shown above are for the U.S. top 250 ASNs. As you can see, two of them got a lot worse. The third, AS 3595 GNAXNET-AS, didn’t place in the U.S. top 250 for February (but it looks like it will for March!).

Let’s look at each of those three ASNs individually.

AS 3595 GNAXNET-AS plateaued on 2,3,4,5 March 2012:

That’s a pattern similar to those of AS 10439 CARINET and AS 32613 IWEB-AS.

AS 16578 DATANOC hasn’t even peaked yet:

How high will it go, and for how long?

AS 25653 FORTRESSITX has an even worse problem. It did peak on 1 March 2012, but then it started back up again on 9 March 2012:

It hasn’t peaked again yet, and it’s already higher than its first peak.

All three of the new ASNs in the top 10 ASNs for Ogee are ones that have highest spam peaks in March, because we selected the date axis for these graphs to run through from 1 February through 12 March (not just for February). All three of these ASNs have a continuing problem.

Early announcement of the Ogee infection detected through the SpamRankings.net reputational peer database could have helped them realize their problem and deal with it earlier. AS 25653 FORTRESSITX probably still could benefit by warning.