Category Archives: Internet risk management strategies

Recompute Fall 2013 on

Glitches happen, and this one illustrates how rankings with big differences in spam volume are robust anyway.

A format change in an ancillary data source detected through consistency checks caused recomputations in selected rankings for September, October, and November 2013 in ( was unaffected). The old versions are preserved as v1 rankings, and the differences are visible for these overall rankings:

GeographySep 2013Oct 2013Nov 2013
World World CBL** PSBL PSBL* PSBL**
Countries Countries CBL PSBL CBL PSBL CBL PSBL
World World CBL** PSBL
Countries Countries CBL* PSBL*
* Completely unchanged in rank order
** Unchanged except for dropout final rank

So the most noticeable rankings, for World, were Continue reading

Charter, Comcast, and Windstream got worse in December 2013

Road Runner (Time Warner Cable) had four of the U.S. U.S. top 10 for December 2013, adding up to more spam spewed than #1 Charter and way more than #2 Comcast.

Two out of three of Road Runner’s entries got worse, and one, AS11427 SCRR-11427, popped up from #27 to join the top 10 at #9.

PaeTec (Windstream) popped up from #45 to #3 with one week’s burst of spam.

Internap‘s AS12180 INTERNAP-2BLK dropped out of the top 10, plummetting from more than 5 million spam messages in November to none observed in the CBL data in December. Congratulations, Internap! Continuum Data Centers’ AS53264 CDC-LMB1 also did well, dropping from #10 to #57, down from 1.5 million to 0.25 million spam messages.


Canada and Belgium show tandem Kelihos infections in October 2013

Twin Kelihos infections in twin countries! Canada in both CBL and PSBL rankings shows tandem spam volume curves for Bell Canada‘s AS577 BACOM and for Shaw Communications AS6327 SHAW. Meanwhile, Belgium in both CBL and PSBL rankings shows tandem curves for Brutele‘s AS12392 ASBRUTELE and for Belgacom‘s AS5432 BELGACOM-SKYNET-AS. This is not a coincidence, since all four networks show Kelihos infections in the CBL data.


Spam and Botnet Reputation Randomized Control Trials and Policy @ TPRC 41

How to do a ranking when you can’t present a rank list: use a distribution graph. Also how to do a randomized control trial when there are active enemy agents: five ways to find out if and how much they are affecting the results. This was in my apparently annual talk at TPRC 41, the Telecommunications Policy Research Conference in Arlington, Virginia.

With slides, abstract, full paper, and video. The sound is not good, though; it was taken with my smartphone. Why don’t conferences do their own video and put it on the web? There were a few sensitive presentations at this one, but they were few, and the rest could have gone up. They didn’t, so I got somebody to video with my phone.


Research to reduce spam emails and increase online security

The U. Texas campus newspaper pretty much gets it. I’ve added a few links and images.

Julia Brouillette wrote for the Daily Texan today, UT researchers work to reduce spam emails, increase online security,

A group of UT faculty members and graduate students have teamed up with UT’s Center for Research on Economic Commerce (CREC) to expose the companies that send out millions of spam emails every day., a website launched by the University’s Center for Research on Economic Commerce, displays rankings of companies by number of outgoing spam messages generated from roughly 18,000 U.S. and international organizations. The project creates models for email providers to reduce spam and is funded by two grants from the National Science Foundation, totaling approximately $1 million.

Head researcher John Quarterman said UT students, in particular, are at a high risk for identity theft because of spam.

“UT has had a big problem with student information being leaked to the outside world because of bad security,” Quarterman said. “Spam is getting out that may contain private information, like your identity.”

Quarterman said the easiest way for students to prevent spam from entering their inboxes is to maintain up-to-date software.

“Make sure you have all the updates to your operating system,” Quarterman said. “Antivirus software is worth running as well.”

According to Andrew Whinston, the center’s director and a management information systems professor, students are susceptible to deceptive links as they surf the Internet. Once the link is clicked, malicious software enters the computer system and new spam is generated.

“You have to be careful and not go to websites on the Internet that you are not really familiar with, or websites that are not authenticated in some way,” Whinston said.

Whinston said preventing spam starts Continue reading

SIRA Security Event in VERIS Community Database of breaches

I’ve provoked an example breach report in the VERIS Community Database by the Verizon Risk Team, recorded in this JSON file, with this summary:

A secondary domain hosted by Bluehost was defaced by an opportunistic attack. We are consolidating the secondary domains in our primary provider and all domains will be pointing to our web site.

Last week I was looking to join SIRA’s email list and mistyped .com for .org. Finding had “HaCKeD By : brkod” on it, I mentioned that to SIRA. They fixed it as above.

The interesting part is that the VERIS Community Database is an effort to expand the annual Verizon Data Breach Investigations Report (DBIR) into something more timely and comprehensive: It’s not very big yet (63 commits and 1546 incidents), but it’s a welcome start. It doesn’t have nearly the comprehensiveness, frequency, nor regularity of the spam blocklist data underlying, but it has, or it can have, more depth in reporting what happened and why.

The VERIS Community Database

Continue reading

Botnets and Reputation Ranking at APWG in San Francisco 2013-09-17

On the agenda for APWG eCrime Tuesday 17 September 2013 in San Francisco:

Birds of a Feather (BOF)
Botnet Data Exchange for Botnet Node Remediation and Network Reputation Ranking
–Pat Cain, APWG
–John S. Quarterman, Quarterman Creations

I’ll be talking about among other reputational rankings.

APWG PR of 29 August 2013 says:

Global cybercrime-fighting association APWG is hosting its eCrime 2013 members meeting and research conference in San Francisco next month to launch its second decade of leading the global engagement with cybercrime, assembling commercial leaders from multinational technology and financial services companies, government and law enforcement agencies and industrial and academic researchers from around the world to update the global agenda for the long-term containment of the cybercrime scourge.
This is the tenth year of APWG, and the seventh year of the eCrime Researchers Summit.

I presented at Continue reading

#1 third time: University of Pittsburgh Medical Center, July 2013

University of Pittsburgh Medical Center‘s AS122 U-PGH-NET-AS is #1 again in the July 2013 worldwide medical from CBL volume data.

July 2013 line chart

It’s also been #1 in June 2013, when it also spiked over 1,000, Continue reading

Detection is much more important than prevention –Bruce Schneier

Reviewing Bruce Schneier’s 2004 book Secrets and Lies, much of which was written in 2000, reminds us of something really basic. You can’t just fix security. Security is a process, most of which is about knowing what’s going on. Detection is more important than prevention. To which I add that for detection we need comparable Internet-wide metrics on security performance so every organization can see what’s going on and will have incentive to do something about it because its customers and competitors can see, too. Sound familiar? That’s what is about.

Joe Zack posted in on Bastille Day, 14 July 2013, Secrets and Lies: Nine Years Later,

2. “Detection is much more important than prevention”

Schneier keeps coming back to this point. He had this epiphany in 1999 that “it is fundamentally impossible to prevent attacks” and “preventative countermeasures fail all the time.” Security is “about risk management, that the process of security was paramount, that detection and response was the real way to improve security.” (emphasis mine)

I had formerly thought of security as largely being about prevention. A year ago, if you have asked me about “InfoSec” I might have prattled on about firewalls, injection attacks, encryption and good passwords. That’s still important, but now I know that there’s a lot more to it.

Zack says he thinks Schneier was like Nostradamus for having such insight before NSA PRISM and even before Facebook. Sure, Bruce has always been ahead of his time. But that basic insight was not unique to him, and Continue reading

Codero 2nd most reliable (Netcraft) and 3rd spammiest (

Codero jumped from #137 in May to #3 in the June 2013 U.S. U.S. from CBL volume. For that same month, Netcraft ranked Codero #1 for hosting reliability. Netcraft ranks worldwide, and in the worldwide, Codero came in #9, which is still very impressive. I guess spammers prefer reliability. Who wouldn’t?