Monthly Archives: October 2012

Botnets behind the late-month upswings in Belgium in the September 2012

Congratulations to Belgacom, Mobistar, Uganda Uganda-Telecom and BASE Belgium for improving in the September 2012 for Belgium Belgium from CBL data! But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month? And what about Teledis, which is worse over the whole month, but better at the end?

For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:

Continue reading

KOCNET outspams Turkey, gaining on TTNET’s record in September 2012

More than two-thirds top-10 Turkish spam came from KOCNET in September 2012 from CBL data More than two-thirds top-10 Turkish spam came from KOCNET in September 2012 for Turkey Turkey from CBL data. KOCNET’s 68.5% is about the same as its 68.7% for August and more than TTNET’s 65.2% for July but still not quite up to TTNET’s record of 78.3% in June. However, in June TTNET only spammed 6,362,167 messages (as seen in the CBL data), while KOCNET spammed 28,937,997 in September, which beats TTNET’s maximum messages a month in July 2011.


Global Crossing spammed the most from the U.S. in September 2012!

Bar chart: September 2012 U.S. from CBL Volume Winner and new champion: Global Crossing’s AS 3549 GBLX! GBLX won the September 2012 with almost half of all the spam from the top 10 seen in the CBL data and more than a third seen from PSBL. What accounts for this surge of U.S. spammy ASNs?

Top 10 botnets for top 10 ASNs, U.S., Sep 2012,

Pie chart: September 2012 U.S. from CBL Volume Yep, it’s Festi for #1 GBLX, #2 AS 17184 ATL-CBEYOND, for #3 AS 7018 ATT-INTERNET4, #8 AS 7385 INTEGRATELECOM and #10 AS 1239 SPRINTLINK. Congratulations AT&T for making the list! Well, not really congratulations, since it means you let a lot of outbound spam out.

However, it’s Lethic for #4 AS 8047 GCI, #5 AS 22258 COMCAST-22258, and #6 AS 20115 CHARTER-NET-HKY-NC.

Line chart: September 2012 U.S. from CBL Volume AS 3549 GBLX may have already peaked. AS 19529 RAZOR-PHL went up like a rocket at the end of the month! Will they swap ranks next month? And what’s driving RAZOR-PHL to the top? Hint: it’s the same as for #9 AS 25653 FORTRESSITX. Stay tuned!


ISPs, spam, and botnets? a case in Finland

In Finland, some ISPs proactively detect spamming botnets and do something about it.

A small company that does computer maintenance, “HS-Works Oy” located in Helsinki, HS-Works Oy Finland, received a computer from a customer that needed to be fixed since it was acting slow. HS-Works personnel hooked up the malfunctioning computer to the company’s switch to gain Internet access and so they could control it over their LAN.

Sonera After the computer was through the LAN to the Internet for a while, the local ISP (Sonera) realized someone from HS-Works was connecting to a known botnet and acting in possibly malicious way. So what did the ISP do?

The solution was rigid: they closed the Internet connection from HS-works and informed the company via an SMS message that there had been illicit or malicious connections originating from their IP address and the connection would remain closed until the problem was solved. All web traffic was directed to the ISP’s “Access blocked” page, which offers a link to a free 30-day trial of Sonera Internet Security package (F-Secure software branded under Sonera name).

Network access would be returned after the infected host was fixed or removed from the network. The company raised their firewalls to a more strict level and got the Internet access back on the same day.

How about Finland’s ranking in spam listings in general and the rest of the big Finnish ISP policies on spam? Stay tuned, more information about these on the next post!

-Sami Sainio

Data storage issues in

Data storage issues led to loss of some incoming data for the September 2012 Interestingly, the results seem almost normal anyway. Here is a speculation on why that can be.

Look just under any rankings chart for September 2012 and you’ll see this notice:

CBL dropouts 8,11 September 2012 were on our end.
PSBL data is unusable 4-15 Sep 2012 due to problems on our end.
September 2012 World All from CBL Volume
1 (2) AS 9829 BSNL-NIB India IN
2 (1) AS 25019 SAUDINETSTC-AS Saudi Arabia SA
3 (5) AS 6147 SAA Peru PE
4 (3) AS 8386 KOCNET Turkey TR
5 (4) AS 7643 VNPT-AS-VN Vietnam VN
6 (-) AS 9050 ROMTELECOM Romania RO

The source of the problem was embarassingly simple and easily fixed: not enough inodes. The CBL and PSBL data were affected differently because they arrive differently. We pick up from CBL daily a text summary table with a line per IP address. We get from PSBL an NNTP feed of spam messages, each in its own file, that we boil down to a summary. So for CBL, we either got the whole file (most days of the month), or we didn’t store it at all (8 and 11 September). For PSBL, for each incoming message, we either stored it or we didn’t. Which is why there are some days with PSBL data between 4 and 15 Sep, but the volume is lower than usual. The notice below the chart is dire because we prefer to be conservative about these things.

Yet the PSBL rankings show AS 9829 BSNL-NIB #1 worldwide just like Continue reading

India outspammed the world in September 2012

India India's BSNL-NIB beat Saudi Arabia Saudi Arabia's Saudinetstc for worst spamming organization in the world in the September 2012, and pushing India to the top of the world country rankings.

ASNs in Saudi Arabia, Turkey Turkey, and Vietnam Vietnam got better, but India, Peru Peru, and Romania Romania, picked up the slack. Is this more Festi festering in new ASNs in new countries? Stay tuned!


No Festi dip in LACNIC, July 2012

There was a dip in volume from the top 20 Festi-infested ASNs starting about 15 July 2012, bottoming out 21 July 2012, except one region’s ASNs did not dip.

Festi top 20

The three Latin American ASNs in the Festi botnet top 20 spammers did not dip:

Those are the only three LACNIC ASNs in the top 20 ASNs for Festi. Perhaps NIC policies matter? Or maybe it’s something in regional national infosec policies? It could still be national infosec policies, but why were all the other big Brazilian ASNs not Festi-infested?

But wait! Two others also did not dip:

Continue reading