OVH won again, more than doubling its spam spew of last month!
This is in the
November 2012
from CBL data.
Is that 407,726,779 spam messages in a single month a record?
Last month it was Kelihos.
This month it looks like darkmailer.
-jsq
Category Archives: Internet risk management strategies
Turkey and Kelihos botnet rampage, October 2012 SpamRankings.net
Turkey, like
Belgium,
Canada,
U.S.,
and
the world,
has a Kelihos rampage problem in
from CBL data
for October 2012.
New Turkish #1 spammer AS 44565 VITAL TEKNOLOJI shows all the signs: rapidly increasing spamming and both Maazben and Kelihos botnets.
The other new Turkish top 10 ASNs, AS 42868 NIOBE AS 44922 MEDYABIM-AS, AS 12599 ATLAS-AS AS 49632 DATATELEKOM and AS 12987 OMURGA, all show lesser but still distinctive signs of the Kelihos rampage, namely Maazben botnet plus other unknown botnets. They all also only surged for a week or two, while Vital continued upwards.
-jsq
Belgium has a Kelihos problem in October 2012 SpamRankings.net
Belgium has a Kelihos problem in
from CBL data
for October 2012.
#1 Mobistar’s AS 12493 and #2 Telenet’s AS 6848 were spewing spam from
Kelihos, pushing all the other ASNs down the rankings.
Kelihos rampage: it’s not just for
north America!
A few other botnets have a bit of Kelihos, but only the top 2 for Belgium are part of the Kelihos rampage. (Newcomer AS 9031 EDPNET has a Cutwail problem.)
-jsq
Canada and Kelihos in October 2012 SpamRankings.net
The
Canadian top 10
were half the same as last month and half due to Kelihos
in the
from CBL data
for October 2012.
Canadian #1 iWeb (CBL; #10 PSBL)
made it into
the world CBL top 10
because of Kelihos.
The
rankings from PSBL data
were much closer to the CBL ones for Canada
than was the case for
the U.S.
or for
the world.
In this logarithmic chart you can see #3 AS 6327 SHAW, #7 AS 577 BACOM, #9 AS 855 CANET-ASN-4, and #10 AS 6407 PRIMUS-AS6407, the only Canadian ASNs that improved their CBL rank for October, going almost straight across the middle, decreasing towards the end of the month.
Three of those relatively static four also were infested with Kelihos. (The fourth, AS 6407 Primus, had a Lethic problem.)
While 25,000 spam messages a day, as seen by CBL for AS 6327 Shaw, is quite a sneeze, it’s not much Continue reading
Kelihos and Maazben botnets in U.S. October 2012 SpamRankings.net
We’ve seen that
botnets Kelihos and Maazben
account for most of the spam seen from
the entirely-new worldwide top 10 in the October 2012 Kelihos rampage.
What about a specific country?
The
U.S. top 10
are also entirely new (since last month):
are all those U.S. ASNs ranked like that because of the Kelihos rampage?
Two clues indicate yes:
the shapes of the U.S. curves are very similar to those of the
worldwide rankings,
and the U.S. top 3 are in the worldwide top 10.
But what about the rest of the U.S. top 10?
Let’s drill down to botnets in U.S. October 2012 SpamRankings.net from CBL data:
We can see 9 out of the U.S. top 10 are there mostly because of Maazben or Kelihos, often alternating for the same ASN, in the same pattern as for the worldwide top 10. So yes, 9 are in the U.S. top 10 because of the Kelihos rampage.
The one exception is Continue reading
Why no kelihos rampage in PSBL October 2012 SpamRankings.net?
Why do the
rankings from PSBL data
not look much like the
October 2012 rankings from CBL data in
?
Apparently because PSBL does not use the heuristic that CBL uses
that catches
the few IP addresses
that are spewing hundreds of thousands or millions
of spam messages a day.
Is this lack of correspondence between the CBL and PSBL rankings a problem?
What would be the point of having multiple rankings if they always
showed the same results?
But these are very different results:
none of the CBL top 10 show up in the PSBL top 10!
How can both the PSBL and CBL rankings be correct?
- First, “correct” for such rankings does not mean completely accurate and it does not mean completely precise: no blocklist will ever detect every spam message emitted by every IP address. Suppose even mighty NSA (No Such Agency) were to copy every bit that passed over every major ISP in the U.S. Even that would miss some bits emitted by for example an ISP in Vietnam that spammed an ISP in India. And what heuristics would mighty NSA use to detect all the spam from all those bits? Would those heuristics happen to include the same one CBL is using to detect the Kelihos rampage? Would they include some further heuristic of which CBL has not yet thought that would detect some other rampage? Quite possibly yes and yes. Any rankings of anything on the Internet are always approximate records of hints and whispers of a constantly-shifting reality that can never be completely pinned down.
- Second, correct for rankings means comparable among the ASNs ranked, so that they can be ranked. In that sense, yes, both the PSBL and CBL rankings are correct: they merely show different aspects of the spam symptom of defective infosec for the ranked ASNs.
- Third, any systematically ranked symptom of poor infosec is important. Does any organization want any of its hosts to be spewing hundreds of thousands of spam messages a day, as in those ASNs in the CBL top 10? Does any organization want any of its hosts to be spewing enough spam in aggregate to turn up in the PSBL top 10? Probably not.
Kelihos and Maazben botnets in October 2012 SpamRankings.net
Let's look at the botnets associated with the
Kelihos rampage
in the
October 2012
.
Two botnets turn up the most Maazben and Kelihos.
Why call it the Kelihos rampage, then?
Because CBL's detection of each botnet depends on numerous continually-evolving heuristics, and in this case the same one is being triggered for both Maazen and Kelihos, and CBL thinks that particular heuristic is more characteristic of Kelihos.
The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems:
Continue readingKelihos rampage in October 2012 SpamRankings.net
What's the Kelihos rampage mentioned in the
October 2012
?
It's a few IP addresses sending hundreds of thousands and even
millions of spam messages a day.
It seems to be associated with Kelihos botnet.
Those few addresses spewed so much spam they pushed entire countries,
The
Kelihos rampage pushed many countries, including
France,
Germany,
Hong Kong,
Thailand,
Canada,
Hungary,
Belarus,
Paraguay,
Singapore(!),
and
Mexico,
to the top of the
countries ranking.
Should we rank an ASN at the top of the world because of only a few addresses? We considered that at some length, but in the end it's no different from what's been going on with the medical rankings for a long time, except on larger scales (all ASNs, and many more messages from a few addresses).
These rankings don't mean the affected organizations aren't vigilant. They do seem to mean those organizations have an infestation they need to deal with.
-jsq
Botnets behind the late-month upswings in Belgium in the September 2012 SpamRankings.net?
Congratulations to Belgacom, Mobistar,
Uganda-Telecom
and BASE Belgium for improving in the
September 2012
for
Belgium from CBL data!
But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month?
And what about Teledis, which is worse over the whole month, but better at the end?
For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:
Continue readingKOCNET outspams Turkey, gaining on TTNET’s record in September 2012 SpamRankings.net
More than two-thirds top-10 Turkish spam came from KOCNET
in
September 2012
for
Turkey from CBL data.
KOCNET’s 68.5% is about the same as its
68.7% for August
and
more than
TTNET’s 65.2% for July
but still not quite up to
TTNET’s record of 78.3% in June.
However, in June TTNET only spammed 6,362,167 messages (as seen in the CBL data),
while KOCNET spammed 28,937,997 in September,
which beats TTNET’s maximum messages a month in
July 2011.
-jsq