Even while spamming a lot less,
AS 44565 VITAL still placed #1 again for spewing spam from Turkey
in the
November 2012
from CBL data.
Even as Vital got a handle on
its Kelihos problem,
AS 8386 KOCNET improved twice.
Maybe KOCNET is finally getting a grip on
its Festi problem.
KOCNET’s peak of 0.8 million messages in November is a lot less than
its peak of 1.3 million in September, although still far too many.
-jsq
OVH won again, more than doubling its spam spew of last month!
This is in the
November 2012
from CBL data.
Is that 407,726,779 spam messages in a single month a record?
Last month it was Kelihos.
This month it looks like darkmailer.
-jsq
Turkey, like
Belgium,
Canada,
U.S.,
and
the world,
has a Kelihos rampage problem in
from CBL data
for October 2012.
New Turkish #1 spammer AS 44565 VITAL TEKNOLOJI shows all the signs: rapidly increasing spamming and both Maazben and Kelihos botnets.
The other new Turkish top 10 ASNs, AS 42868 NIOBE AS 44922 MEDYABIM-AS, AS 12599 ATLAS-AS AS 49632 DATATELEKOM and AS 12987 OMURGA, all show lesser but still distinctive signs of the Kelihos rampage, namely Maazben botnet plus other unknown botnets. They all also only surged for a week or two, while Vital continued upwards.
-jsq
Belgium has a Kelihos problem in
from CBL data
for October 2012.
#1 Mobistar’s AS 12493 and #2 Telenet’s AS 6848 were spewing spam from
Kelihos, pushing all the other ASNs down the rankings.
Kelihos rampage: it’s not just for
north America!
A few other botnets have a bit of Kelihos, but only the top 2 for Belgium are part of the Kelihos rampage. (Newcomer AS 9031 EDPNET has a Cutwail problem.)
-jsq
The
Canadian top 10
were half the same as last month and half due to Kelihos
in the
from CBL data
for October 2012.
Canadian #1 iWeb (CBL; #10 PSBL)
made it into
the world CBL top 10
because of Kelihos.
The
rankings from PSBL data
were much closer to the CBL ones for Canada
than was the case for
the U.S.
or for
the world.
In this logarithmic chart you can see #3 AS 6327 SHAW, #7 AS 577 BACOM, #9 AS 855 CANET-ASN-4, and #10 AS 6407 PRIMUS-AS6407, the only Canadian ASNs that improved their CBL rank for October, going almost straight across the middle, decreasing towards the end of the month.
Three of those relatively static four also were infested with Kelihos. (The fourth, AS 6407 Primus, had a Lethic problem.)
While 25,000 spam messages a day, as seen by CBL for AS 6327 Shaw, is quite a sneeze, it’s not much Continue reading
We’ve seen that
botnets Kelihos and Maazben
account for most of the spam seen from
the entirely-new worldwide top 10 in the October 2012 Kelihos rampage.
What about a specific country?
The
U.S. top 10
are also entirely new (since last month):
are all those U.S. ASNs ranked like that because of the Kelihos rampage?
Two clues indicate yes:
the shapes of the U.S. curves are very similar to those of the
worldwide rankings,
and the U.S. top 3 are in the worldwide top 10.
But what about the rest of the U.S. top 10?
Let’s drill down to botnets in U.S. October 2012 SpamRankings.net from CBL data:
We can see 9 out of the U.S. top 10 are there mostly because of Maazben or Kelihos, often alternating for the same ASN, in the same pattern as for the worldwide top 10. So yes, 9 are in the U.S. top 10 because of the Kelihos rampage.
The one exception is Continue reading
Why do the
rankings from PSBL data
not look much like the
October 2012 rankings from CBL data in
?
Apparently because PSBL does not use the heuristic that CBL uses
that catches
the few IP addresses
that are spewing hundreds of thousands or millions
of spam messages a day.
Is this lack of correspondence between the CBL and PSBL rankings a problem?
What would be the point of having multiple rankings if they always
showed the same results?
But these are very different results:
none of the CBL top 10 show up in the PSBL top 10!
How can both the PSBL and CBL rankings be correct?
Let's look at the botnets associated with the
Kelihos rampage
in the
October 2012
.
Two botnets turn up the most Maazben and Kelihos.
Why call it the Kelihos rampage, then?
Because CBL's detection of each botnet depends on numerous continually-evolving heuristics, and in this case the same one is being triggered for both Maazen and Kelihos, and CBL thinks that particular heuristic is more characteristic of Kelihos.
The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems:
Continue reading
What's the Kelihos rampage mentioned in the
October 2012
?
It's a few IP addresses sending hundreds of thousands and even
millions of spam messages a day.
It seems to be associated with Kelihos botnet.
Those few addresses spewed so much spam they pushed entire countries,
The
Kelihos rampage pushed many countries, including
France,
Germany,
Hong Kong,
Thailand,
Canada,
Hungary,
Belarus,
Paraguay,
Singapore(!),
and
Mexico,
to the top of the
countries ranking.
Should we rank an ASN at the top of the world because of only a few addresses? We considered that at some length, but in the end it's no different from what's been going on with the medical rankings for a long time, except on larger scales (all ASNs, and many more messages from a few addresses).
These rankings don't mean the affected organizations aren't vigilant. They do seem to mean those organizations have an infestation they need to deal with.
-jsq
Congratulations to Belgacom, Mobistar,
Uganda-Telecom
and BASE Belgium for improving in the
September 2012
for
Belgium from CBL data!
But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month?
And what about Teledis, which is worse over the whole month, but better at the end?
For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:
Continue reading