Category Archives: IT Security

Spam from Microsoft’s AS 8075 April 2011-June 2012

As we’ve seen, Microsoft’s AS 8075 is back on top in the June 2012 SpamRankings.net from PSBL data. Actually, AS 8075 is a chronic offender, having been #1 numerous times, often placing in the top 10, and (we can see in internal data) never going below #38:

2011
Apr		MayJunJulAugSepOctNovDec2012
Jan		FebMarAprMayJun
1123410373738821121

Also, CBL does often see spam from AS 8075 at the same time PSBL does, even though CBL has never seen enough spam from that ASN for it to place in the U.S. top 10 from CBL data.

Volume data from PSBL and CBL graphed by SpamRankings.net

Volume data from PSBL and CBL aggregated and interpreted by SpamRankings.net
Graph by John S. Quarterman for SpamRankings.net.

That’s a pretty dense graph, and internally it’s interactive for easy interpretation, but the dark purple line is PSBL volume and the lines with dots are various botnets and the like detected for AS 8075 by CBL. We can drill down to which IP addresses are producing the spam indicated by such rankings and graphs.

The main point is even mighty Microsoft often emits spam. Any big corporation is likely to have similar problems, because, like in the case of medical organizations, they’re likely to have some employees who will fall for phishing or other exploits. Even the most Internet-security-savvy organization can’t catch them all. SpamRankings.net can help with that, both by providing incentive (do you want your organization to be at the top of the rankings?) and by providing drilldowns to help localize the problem (so you can fix it and brag about dropping off the rankings).

-jsq

Grum and other botnets, 1 June 2012 – 19 July 2012, SpamRankings.net

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for SpamRankings.net from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading

Microsoft back on top in June SpamRankings.net

1 (2) AS 8075 MICROSOFT-CORP—MSN-AS-BLOCK
2 (1) AS 36692 OPENDNS
3 (-) AS 26769 BANDCON
4 (-) AS 22414 CRAIGS-NET-1
5 (-) AS 22822 LLNW
6 (-) AS 10912 INTERNAP-BLK

Beating even OPENDNS, Microsoft took #1 in U.S. PSBL June 2012 rankings.

Microsoft was last on top in the same rankings for April 2012. I thought Microsoft was a leader in Internet security?

In other news, Bell Canada’s AS 577 BACOM actually dropping off the Canadian June 2012 rankings from CBL data. Shaw took #1 and Iweb dropped to #2.

We have a new medical winner! It’s Hartford Hospital’s AS 11047 HHCC-ASN1. Gaining altitude at the end of the month was Joan and Sanford I. Weill Medical College and Graduate School of Medical Sciences of Cornell University with AS 20252 JSIWMC.

More on those and other developments in later blog posts.

-jsq

 

Stone Internet Services’ AS 39234 dropped like a rock in May 2012 SpamRankings.net

Some good news for Belgium! Stone Internet Services’ AS 39234 decreased spamming by 95% in May 2012, dropping from 8,212 on May Day to 321 on 28 May.

In the other direction, Brutele’s AS 12392 went from 2,220 on 3 May to 6,207 on 30 May, an increase of 279%.

And Uganda Telecom’s AS 21491 started up like a rocket at the end of the month, going from 1,046 on 26 May to 4,213 on 31 May, a 300% increase.

Now all these numbers are just samples by CBL, hints and whispers of the total amount of spam flying around the net. But when the curves move that fast, usually something is going on.

-jsq

CDM snowshoes to the top of the world in May 2012 SpamRankings.net

In addition to snowshoe spam taking 7 of the top 10 U.S. SpamRankings.net for May 2012, one of the snowshoe spamming companies, CDM, outspammed every other organization in the world! CDM’s AS 6428 outspammed even chronic world winner Vietnam PT.

In this graph, you can see CDM leap up from zero in March to 15.7 million spam messages in April and 48.8 million in May, and of course that’s just the messages caught by a few spamtraps.

The same spamtraps never saw more than 56 hosts sending all those messages. That was on 11 May 2012, when they saw 1,989,762 spam messages, for a ratio of 35,531 spam messages per sending host. That’s not exactly the old botnet low-and-slow technique. Snowshoe spam: it’s already in prime time!

And remember, CDM is not a hosting center: it’s an ISP. CDM continues to illustrate that snowshoe spam is no longer confined to the traditional profile of infesting hosting centers.

-jsq

Snowshoe took all top 7 in May U.S. CBL SpamRankings.net

Snowshoe appeared to have been the source for spam from all of the top seven spamming organizations in the May 2012 top 10 SpamRankings.net for the U.S. from CBL data. Only 3 were traditional ISPs (two cable companies, Comcast and Charter, plus Global Crossing). Snowshoe spam accounted for all but about 5% of spam from the U.S. top 10. And we already knew snowshoe is not just for hosting companies anymore.

At what point is snowshoe spam no longer a temporary black swan phenomenon, and becomes a prevailing trend?

-jsq

A few bad stones can darken an organization’s SpamRankings.net

Apparently a few infested computers can push a whole hosting service into the top 10 SpamRankings.net for its country. That’s bad, but on the other hand a few addresses should be easy to find and fix. If the infested organization wants to do so.

Take Stone Internet Services AS 39234 STONE-IS, which is the green line climbing to the top of the Belgium April 2012 rankings in the graph. On 30 April CBL caught more than 8,000 spam messages coming from STONE-IS, yet CBL only saw spam coming from a max of 3 STONE-IS IP addresses during that month. If those messages came evenly from each of those 3 addresses, that would be about 2,600 messages from each address, and more likely one of those addresses is the real culprit. Of course, that was almost certainly nowhere near all the spam that came from that ASN that month, and maybe not all the IP addresses sending them.

But compare to the number one source of spam from Belgium for Continue reading

Congratulations to Israel and Spain for dropping out of April World SpamRankings.net!

Israel Israel and Spain Spain were the only two countries to drop out of the world top 20 spammers from CBL data in April 2012. Congratulations!

Not so lucky were the U.K. U.K. and Turkey Turkey, which joined the top 20.

Also, Korea, South Korea got to #2 in the second and third week of the month. and placed third overall, up from fifth in March.

April 2012 Monthly Countries Countries ∀ All SpamRankings.net from CBL Volume
(Previous Month)

Rank (Previous)CountryPopulationVolume% of top 20
1 (1) United States US 310,232,863 104,308,126 17.1%
2 (2) India IN 1,173,108,018 68,811,807 11.3%
3 (5) Korea, South KR 48,422,644 58,983,193 9.66%
4 (6) Vietnam VN 89,571,130 51,301,264 8.4%
5 (3) Brazil BR 201,103,330 38,033,087 6.23%
6 (4) Russian Federation RU 140,702,000 36,167,764 5.92%
7 (8) Taiwan TW 22,894,384 33,163,766 5.43%
8 (7) Poland PL 38,500,000 32,507,068 5.32%
9 (9) Romania RO 21,959,278 24,545,877 4.02%
10 (12) Belarus BY 9,685,000 23,895,403 3.91%
11 (13) China CN 1,330,044,000 18,743,935 3.07%
12 (14) Peru PE 29,907,003 17,293,193 2.83%
13 (11) Ukraine UA 45,415,596 16,062,362 2.63%
14 (18) Kazakhstan KZ 15,340,000 14,924,036 2.44%
15 (15) Argentina AR 41,343,201 13,819,396 2.26%
16 (-) United Kingdom GB 62,348,447 13,638,509 2.23%
17 (17) Pakistan PK 184,404,791 12,320,247 2.02%
18 (10) Indonesia ID 242,968,342 10,899,369 1.78%
19 (-) Turkey TR 77,804,122 10,675,444 1.75%
20 (19) Colombia CO 44,205,293 10,651,199 1.74%
    Total   610,745,045 100%
 
  In Previous  
(16) Spain ES 46,505,963 15,819,585  
(20) Israel IL 7,353,985 11,349,660  

-jsq

An ISP snowshoes ahead in spamming

Continuing the question of Ogee snowshoe: black swan or new strategy? let’s look at Ogee snowshoe spam in the first week of May 2012.

The two dotted lines trending down together in the middle are AS 29131 and AS 28178, and they both fit the traditional profile for snowshoe spam hosting sites, because they advertise hosting or colocation as their main services. AS 29131 is registered to RapidSwitch, which advertises dedicated servers, cloud solutions, and colocation. AS 28178, registered as Network Operations Center (NOC), which keeps on rolling waves of snowshoe spam, appears to be operating under the name BurstNet, which offers managed servers and co-location as its first two services.

However, the dotted line rising to the top right that pulled the solid overall snowshoe volume line back up is not a hosting center: it’s an ISP. CDM’s AS 6428 appears to be operating as Primary Network, whose first services are T-1 Internet access and metro Internet. And Primary Network is not alone. We’ve pulled out a list of all the ASNs affected by Ogee snowshoe so far, and quite a few of them are ISPs, some of them very well known ISPs.

Snowshoe: it’s not just for hosting centers anymore.

-jsq

Microsoft, world leader in Internet security: and spamming?

Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. for April 2012 in rankings from PSBL data, pushing the U.S. to #1 worldwide. Other rankings don’t show Microsoft high, but does MSFT really want to show up in any of these rankings?

Rank (Previous)CountryPopulationSpam
Volume		Percent
of top 10
1 (3) US 310,232,863 673,30618.2%
2 (2) IN 1,173,108,018 506,39713.7%
3 (1) CN 1,330,044,000 413,08911.2%
    Total   3,689,376100%

These rankings that show Microsoft high are derived by SpamRankings.net from PSBL blocklist data. The April 2012 SpamRankings.net from CBL blocklist data do not show Microsoft in the top 10. Apparently PSBL’s spam traps happened to be in the line of spam from Microsoft, while CBL’s were not.

And of course Microsoft probably doesn’t mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here’s hoping they clean it up soon!

-jsq