Monthly Archives: July 2012

Grum down, but… 1 June 2012 – 30 July 2012,

Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for

The updated Top 10 Botnets graph has good news and bad news:

Continue reading

Spam from Microsoft’s AS 8075 April 2011-June 2012

As we’ve seen, Microsoft’s AS 8075 is back on top in the June 2012 from PSBL data. Actually, AS 8075 is a chronic offender, having been #1 numerous times, often placing in the top 10, and (we can see in internal data) never going below #38:


Also, CBL does often see spam from AS 8075 at the same time PSBL does, even though CBL has never seen enough spam from that ASN for it to place in the U.S. top 10 from CBL data.

Volume data from PSBL and CBL graphed by

Volume data from PSBL and CBL aggregated and interpreted by
Graph by John S. Quarterman for

That’s a pretty dense graph, and internally it’s interactive for easy interpretation, but the dark purple line is PSBL volume and the lines with dots are various botnets and the like detected for AS 8075 by CBL. We can drill down to which IP addresses are producing the spam indicated by such rankings and graphs.

The main point is even mighty Microsoft often emits spam. Any big corporation is likely to have similar problems, because, like in the case of medical organizations, they’re likely to have some employees who will fall for phishing or other exploits. Even the most Internet-security-savvy organization can’t catch them all. can help with that, both by providing incentive (do you want your organization to be at the top of the rankings?) and by providing drilldowns to help localize the problem (so you can fix it and brag about dropping off the rankings).


Grum and other botnets, 1 June 2012 – 19 July 2012,

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading

Microsoft back on top in June

2 (1) AS 36692 OPENDNS
3 (-) AS 26769 BANDCON
4 (-) AS 22414 CRAIGS-NET-1
5 (-) AS 22822 LLNW
6 (-) AS 10912 INTERNAP-BLK

Beating even OPENDNS, Microsoft took #1 in U.S. PSBL June 2012 rankings.

Microsoft was last on top in the same rankings for April 2012. I thought Microsoft was a leader in Internet security?

In other news, Bell Canada’s AS 577 BACOM actually dropping off the Canadian June 2012 rankings from CBL data. Shaw took #1 and Iweb dropped to #2.

We have a new medical winner! It’s Hartford Hospital’s AS 11047 HHCC-ASN1. Gaining altitude at the end of the month was Joan and Sanford I. Weill Medical College and Graduate School of Medical Sciences of Cornell University with AS 20252 JSIWMC.

More on those and other developments in later blog posts.