A few bad stones can darken an organization’s SpamRankings.net

Apparently a few infested computers can push a whole hosting service into the top 10 SpamRankings.net for its country. That’s bad, but on the other hand a few addresses should be easy to find and fix. If the infested organization wants to do so.

Take Stone Internet Services AS 39234 STONE-IS, which is the green line climbing to the top of the Belgium April 2012 rankings in the graph. On 30 April CBL caught more than 8,000 spam messages coming from STONE-IS, yet CBL only saw spam coming from a max of 3 STONE-IS IP addresses during that month. If those messages came evenly from each of those 3 addresses, that would be about 2,600 messages from each address, and more likely one of those addresses is the real culprit. Of course, that was almost certainly nowhere near all the spam that came from that ASN that month, and maybe not all the IP addresses sending them.

But compare to the number one source of spam from Belgium for

1 (1) AS 41451 TELEDIS-AS
2 (3) AS 12392 ASBRUTELE
3 (8) AS 39234 STONE-IS
4 (2) AS 5432 BELGACOM-SKYNET-AS
5 (6) AS 25395 GWC-AS
6 (5) AS 12493 AS12493
the entire month, VOO‘s AS 41451 TELEDIS-AS. VOO is an ISP with landline telephone lines, and is infested in a more traditional way. On 30 April 2012 CBL caught 6,632 spam messages coming from 210 IP addresses. That’s an average of about 32 spam messages from each address, which is much more normal for the low-and-slow spamming method.

TELEDIS-AS also seems to have a cutwail and lethic problem, and those are well-known botnets. STONE-IS, on the other hand, shows none of the usual old-timey well-known suspects, and does show a darkmailer problem. Hm, dark mailer, which according to spamhaus is illegal in Australia where one of its kingpins used to live, not to mention in the U.S., where, as Dan Goodin wrote for The Register back in 23 July 2008, Seattle Spam King Dark Mailer faces 47-month sentence. Hm, it’s not quite 47 months later, so apparently somebody else is running the same or a similar scam. As the current Wikileaks writeup on Dark Mailer notes:

Dark Mailer is the hub of quite a few mass spamming utilities. One of the most prominent is dm.cgi, a script which bombards predefined e-mail addresses using the CGI capabilities of compromised websites or whole servers.

Laws aren’t stopping spam. Maybe reputation will help, by revealing infested organizations and thus giving them incentive to do something about it.

-jsq