Category Archives: Medical

#1 third time: University of Pittsburgh Medical Center, July 2013

University of Pittsburgh Medical Center‘s AS122 U-PGH-NET-AS is #1 again in the July 2013 worldwide medical from CBL volume data.

July 2013 line chart

It’s also been #1 in June 2013, when it also spiked over 1,000, Continue reading

Medical churn in December 2012

Good (Konkuk), improving (Cornell), and bad (eHealth) in the December 2012 country medical

First the good news: Konkuk University Hospital went from 297 spam messages last month to zero in December 2012, removing Korea Korea from the country medical rankings. Children’s Hospital & Health System and THE GOOD SAMARITAN HOSPITAL OF LEBANON PENNSYLVANIA also went to zero, and Yale-New Haven Health Services Corporation and Sutter Health dropped enough to fall out of the world top 10 medical ASNs emitting spam in

Now the apparently bad news that turned good. Continue reading

Festi botnet in July 2012 U.S. Medical from CBL

AS 122 U-PGH-NET-AS The curve that took University of Pittsburgh Medical Center‘s AS 122 U-PGH-NET-AS to number one in the July 2012 U.S. from CBL data is almost completely explained by Festi botnet, except for one day, plus the small curve at the beginning of the month was apparently caused by Grum botnet.

AS 17311 ECMC-BGP was infested with Festi (blue curve on the right) at the same time as AS 122, and AS 17311 earlier had a Cutwail botnet

Continue reading

Pittsburgh back in the top 10 for spam from U.S. medical organizations

And this time it's #1 in the July 2012 U.S. from CBL data:

AS 122 U-PGH-NET-AS in the same ranking over time:

Apr May Jun Jul Aug Sep Oct Nov Dec 2012
Feb Mar Apr May Jun Jul
34 32 32 8 31 8 4 29 32 33 30 32 29 6 5 9 1

University of Pittsburgh Medical Center's AS 122 U-PGH-NET-AS and Erie County Medical Center's AS 17311 ECMC-BGP not only took #1 and #2, they also spammed longer than other medical ASNs. That jumped them up 8 ranks each in one month.


Microsoft back on top in June

2 (1) AS 36692 OPENDNS
3 (-) AS 26769 BANDCON
4 (-) AS 22414 CRAIGS-NET-1
5 (-) AS 22822 LLNW
6 (-) AS 10912 INTERNAP-BLK

Beating even OPENDNS, Microsoft took #1 in U.S. PSBL June 2012 rankings.

Microsoft was last on top in the same rankings for April 2012. I thought Microsoft was a leader in Internet security?

In other news, Bell Canada’s AS 577 BACOM actually dropping off the Canadian June 2012 rankings from CBL data. Shaw took #1 and Iweb dropped to #2.

We have a new medical winner! It’s Hartford Hospital’s AS 11047 HHCC-ASN1. Gaining altitude at the end of the month was Joan and Sanford I. Weill Medical College and Graduate School of Medical Sciences of Cornell University with AS 20252 JSIWMC.

More on those and other developments in later blog posts.



Cleveland Clinic wins one way, then another, in

1(4)AS 22093 CCF-NETWORKUnited States US
3(1)AS 25611 NSLIJHSUnited States US
4(-)AS 19335 APRIA-HEALTHCAREUnited States US
5(2)AS 9208 WINBelgium BE
6(7)AS 122 U-PGH-NET-ASUnited States US
Cleveland Clinic took #1 in the May 2012 worldwide medical So Cleveland Clinic’s AS 22093 won the worldwide medical rankings by spamming the most of any medical organization worldwide, as found in CBL blocklist data. Boo Cleveland Clinic!

Yet AS 22093 CCF-NETWORK dropped like a rock on 7 May 2012, going to zero the next day, and staying there. So Cleveland Clinic also was most improved for May 2012 medical organizations. Congratulations, Cleveland Clinic!

This feat of IT security cleanliness shouldn’t have been hard for CCF, since AS 22093 CCF-NETWORK seems to have had a Lethic problem, which CBL saw on no more than 3 hosts. Sure, there could have been more hosts infected than that, and CBL just might not have seen them all. But 3 is far smaller than what CBL sees for a typical botnet infection, so the number of infected hosts probably was quite small. Which means it should have been easy for CCF to find them all and fix them.

Hm, maybe being #4 last month gave CCF some incentive?


CSHS is back in January 2012

In, January PSBL data reveals three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.

The three with more than 100 spam messages for the month were

each accounting for about a third of the total spam volume seen from medical organizations by CBL in January 2012.

Cedars-Sinai Health Systems‘ AS 22328 CSHS came in only seventh in PSBL data, with only 10 spam messages. But in CBL data, CSHS came in first, with 2,873 messages. That’s not a lot, compared to, for example, Comcast, which CBL saw spamming more than two million messages during the same month. But what patients would prefer to see from medical organizations is zero spam messages, since spam is a sneeze for infosec disease, and who wants to think their hospital’s information security or radiology computers might be infected?

Chances are CSHS will notice and clean it up pretty quick. Those other three medical orgs may have some sort of more chronic problem….


World PM2.5 Map as reputation

NASA posted 22 October 2009, New Map Offers a Global View of Health-Sapping Air Pollution
In many developing countries, the absence of surface-based air pollution sensors makes it difficult, and in some cases impossible, to get even a rough estimate of the abundance of a subcategory of airborne particles that epidemiologists suspect contributes to millions of premature deaths each year. The problematic particles, called fine particulate matter (PM2.5), are 2.5 micrometers or less in diameter, about a tenth the fraction of human hair. These small particles can get past the body’s normal defenses and penetrate deep into the lungs.
Even satellite measurements are difficult (clouds, snow, sand, elevation, etc.). But not impossible:

Continue reading

The Big Drop: medical to zero in

A surprise in the July rankings: US medical rankings all went to zero by 14 July. World medical rankings went from hundreds and thousands to near zero between 17 and 24 July.

That’s in rankings from CBL data. PSBL shows much less data for medical organizations, yet nonetheless the same effect in both world and U.S. medical rankings.

No other rankings showed such a drop.

Did medical organizations actually clean up their act? Or did they just manage to whitelist their netblocks at CBL and PSBL?

Either way, it looks like they noticed


“botnet herders can add it to its spam-spewing botnet” —Fahmida Y. Rashid in

This reporter spits out a string of alliterative language that labels the problem that helps diagnose.

Fahmida Y. Rashid wrote in 8 June 2011, UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers:

“Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose.”
That’s a pretty good explanation for why outbound spam is a proxy for poor infosec.