Author Archives: John S. Quarterman

Why more spam seen for OVH with v2 rankings than v1?

OVH Systems’ AS 16276 is #1 in the April 2013 SpamRankings.net worldwide from CBL data with 631,539,742 spam message seen according to the new Version 2 of SpamRankings.net, while the same ASN is #3 in the old version 1 rankings with 363,884,989 spam messages seen. Why the difference?

The difference is because Version 2 finds more netblocks assigned to AS 16276. Specifically:

72netblocks currently assigned
27netblocks previously assigned
14netblocks are persistant
58netblocks have been added
13netblocks have been removed

Many more netblocks were found for AS 16276 only by Version 2 than were found only by Version. So the difference in the amount of spam presumably comes from those added netblocks. Yes, we can drill down and see, and we may do that later.

-jsq

Version 2 of SpamRankings.net

The April 2013 rankings include version 2 of the volume compilation method, with precise counts, resulting in slightly different ranking orders.

Top 3, April 2013 World SpamRankings.net from CBL data

For example, OVH, Hanaro, and Strato are the top three in both v1 and v2, but in a different order, in the April 2013 SpamRankings.net worldwide from CBL data.

Initially, we are only pubishing v2 for March and April 2013. In a few weeks we will publish the rest of the historical v2 rankings back to match the same months as the v1 rankings. Old v1 rankings will be kept online indefinitely for comparison, but all new rankings will be v2.

-jsq

Adeox or Tamer

Here’s why we didn’t list a website for AS 42055 TAMER the March SpamRankings.net for TR Turkey from CBL data. Various Autonomous System analysis sites, such as TCPIPUtils.com list numerous domains for this AS: which domain is the main one? Hurricane Electric provides a graphical representation of which other ASNs route to AS 42055, and RobTex provides a graph with AS names as well as numbers. And RobTex provides a couple of clues:

WARNING! 1% (1/100) of the sites on ADEOX Dummy description for (as42055) is pornographic or otherwise sensitive content!

The first clue is that the main organizational name may be Adeox. The second clue is the content warning.

Google warns everyone away:

Continue reading

Odd goings-on in Turkey: March 2013 SpamRankings.net

AS 49879 HOSTHANE ISIK spammed enough in three days starting 26 March 2013 to make #4 in the March SpamRankings.net for TR Turkey from CBL data. TTnet’s AS 9121 spammed about 30% less, yet went from #2 to #1. The new #2, hosting company Adeox’s AS 42055 TAMER, went from zero to more than 15 million messages.

-jsq

Anti-Spam Blocklists DDoSed Down

At least three anti-spam blocklists were taken down this week by Distributed Denial of Service (DDoS) attacks: Spamhaus, CBL, and APEWS. The first two are back up; the third is not.

The Composite Blocking List (CBL) currently has this at the top of its home page:

Important Information on Spamhaus/CBL DDOS

Commencing March 19 the CBL was hit by a very large-scale distributed denial of service attack. At the time of writing (March 21, 00:15 UTC) this attack is still ongoing.

Throughout this period the CBL DNSBL has continued to remain available through the CBL mirrors and via Spamhaus XBL (and Zen), and we’ve been doing our utmost to restore the rest.

Access to the lookup/removal page has just been restored.

The CBL rsync facility has been restored.

Email to the CBL is not working yet.

We ask for your patience while we finish restoring the rest of the CBL to service.

SpamRankings.net is receiving CBL data normally again, although yesterday’s is lost.

We never saw any interruption in data from the Passive Spam Block List (PSBL).

Spamhaus says it got a 75Gbps DDoS attack, according to Liam Tung with CSO Online (Australia) today:

Continue reading

Current security models broken; need resilience; how about reputation?

Bruce Schneier asserted yesterday that Our Security Models Will Never Work — No Matter What We Do. After detailing why he thinks that (the bad guys can get new techonology faster and have fewer restrictions on using it), he summarized:

As it gets easier for one member of a group to destroy the entire group, and the group size gets larger, the odds of someone in the group doing it approaches certainty. Our global interconnectedness means that our group size encompasses everyone on the planet, and since government hasn’t kept up, we have to worry about the weakest-controlled member of the weakest-controlled country. Is this a fundamental limitation of technological advancement, one that could end civilization? First our fears grip us so strongly that, thinking about the short term, we willingly embrace a police state in a desperate attempt to keep us safe; then, someone goes off and destroys us anyway?

If security won’t work in the end, what is the solution?

Continue reading

An Eerie Silence on Cybersecurity

Apparently it takes an alleged Chinese threat to get the New York Times to notice Internet security problems. The Times has escalated from a recent article to an editorial.

NYTimes Editorial 26 February 2013, An Eerie Silence on Cybersecurity, notes a few exceptions, and then remarks:

American companies have been disturbingly silent about cyberattacks on their computer systems — apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government.

In some cases, such silence might violate the legal obligations of publicly traded companies to share material information about their businesses. Most companies would tell investors if an important factory burned to the ground or thieves made off with hundreds of millions of dollars in cash.

Maybe it’s better to have a prescribed burn of released breach information than to have a factory fire of unprescribed released information.

Why don’t companies do this?

Continue reading

Companies fear reputation for bad security

As more companies come out of the closet about their Internet security being compromised, still more start to admit it. But many (perhaps most) don’t even know. Fortunately, there is a way the public can get a clue even about those companies.

Nicole Perlroth wrote for the NYTimes 20 February 2013 that corporations try to hide successful cracking of their Internet security:

Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless.

However, as some companies come out of the closet about this (Twitter, Facebook, Apple, etc.) and such

revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.

“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”

Now here’s the interesting part:

Continue reading

Primus dropped out of January 2013 Canada SpamRankings.net

The big winner was AS 7788 MAGMA-COMM, which dropped from #3 to #147 by decreasing from millions to less than a thousand spam messages in the January 2013 SpamRankings.net for Canada Canada. Magma had a brief spate of Kelihos spam in the middle of the month, but it only lasted less than a week. Almost as good was AS 6407 PRIMUS-AS6407, dropping from millions the previous month to a few hundred thousand, and from #6 to #11. That one while beating its Kelihos problem, seems to have developed a Cutwail problem, which was sending increasingly more spam at the end of the month. Since Magma was bought by Primus in 2004, Primus gets double congratulations!

-jsq