There was a dip in volume from the top 20 Festi-infested ASNs starting about 15 July 2012, bottoming out 21 July 2012, except one region’s ASNs did not dip.

The three Latin American ASNs in the Festi botnet top 20 spammers did not dip:

• AS 22927 TEL-ARGENTINA – Telefonica de Argentina
• AS 6147 SAA – Telefonica del Peru S.A.A.
• AS 7738 TELEMAR – Telecomunicacoes da Bahia S.A.

Those are the only three LACNIC ASNs in the top 20 ASNs for Festi. Perhaps NIC policies matter? Or maybe it’s something in regional national infosec policies? It could still be national infosec policies, but why were all the other big Brazilian ASNs not Festi-infested?

But wait! Two others also did not dip:

• AS 8400 TELEKOM-AS – TELEKOM SRBIJA
• AS 3320 DTAG – Deutsche Telekom AG

Why would Germany and Serbia have the same policies as Brazil, Argentina, and Peru? If it was regional infosec policies, why would only two RIPE European ASNs be affected?

All five non-Festi-dippers had relatively low volumes of Festi spam around 15 July. And all five did show a big total volume dip a week earlier, from around 8 July to around 16 July. Maybe something else was going on.

Graphs by John S. Quarterman for SpamRankings.net.

All five ASNs were showing even more Cutwail spam, which is what dipped 8-16 July. So whatever was going on may have involved some sort of interaction between Cutwail and Festi.

-jsq