Category Archives: Research

Cleveland Clinic spewing spam again

Here’s why to look at more than one spam data source: according to the PSBL volume data for November 2011, Cleveland Clinic’s AS 22093 CCF-NETWORK spewed more than a hundred spam messages a day on multiple days, while CBL volume data showed Cleveland Clinic with only 42 spam messages for the entire month. Apparently PSBL’s spamtraps happened to be in the path of this CCF spam.

Now a couple of hundred spam messages a day isn’t much by world organization standards, but compared to what we’d all like to see from medical organizations (zero), it’s a lot.

Also compared to the other medical institutions in the same rankings from the same data, the pie chart looks like Pac Man and the bar graph looks like a hockey stick.

Maybe Cleveland Clinic didn’t get the memo after all.

-jsq

China does not lead Country Rankings from SpamRankings.net

An area where China does not lead the world: Country rankings by SpamRankings.net. China is only #13, but Brazil, Russia, and India (the other three BRICs) are in the top five countries by total spam messages for October 2011. U.S. is #10.

Vietnam came from behind a few months ago to place second for October.

Brazil had slumped as low as #6 in July, but has pulled back up into the leading pack.

After the top five, it’s a long-tail distribution indeed. Continue reading

What is IPWORLDNET and why is it spamming from Canada?

In the October SpamRankings.net for Canada (from CBL data), IPWORLDNET is that big blue molar tooth in the graph on the right. In the interactive chart you can see IPWORLDNET’s Autonomous System (AS) 19875 winning the month with two bursts of spam, and then dropping almost to zero.

That’s not the only spamming churn activity in Canada for October. The log chart shows MetroBridge Networks Corporation AS 25976 METROBRIDGE-NET jumping up from zero to take ninth place. It looks like one organization may have cleaned up its act while another got infested.

Last month’s winner, Canaca-com’s AS 33139 CANACA-210, came in second. From there down it’s mostly the usual suspects in slightly different orders. Interestingly, longterm winner Bell Canada’s AS 577 BACOM only came in fourth. This is unusual for a national telco. Maybe they’re watching the rankings?

-jsq

Big Churn in the U.S. in October SpamRankings.net

Big churn in the U.S. for October 2011 in included last month’s winner by spam volume vanishing, Comcast retaking the top spot but with only 2 out of the top 10, and colo FDCservers.net AS 30058 joining in at number ten.

All that and Numbers 2 and 3 didn’t even place last month. #3 AS 25653 FORTRESSITX jumped up from about a thousand spam messages a day to more than 200,000 and then back down. #2 AS 23376 APPSERVE came up from zero on 11 October to more than 225,000, dropped back briefly to zero on 22 October, and then resumed at around 65,000 a day. Both of those cases look suspiciously like single botnet infestations.

Comcast may be making some effort to reduce outbound spam. In July Comcast held 5 out of the top 10 US rankings; in August it held 4, in September it held 3, and in October only 2.

-jsq

How to leverage botnet takedowns

What is to be done when botnet takedowns don’t produce lasting benefits?

At the Telecommunications Policy and Research Conference in Arlington, VA in September, I gave a paper about Rustock Botnet and ASNs. Most of the paper is about effects of a specific takedown (March 2011) and a specific slowdown (December 2010) on specific botnets (Rustock, Lethic, Maazben, etc.) and specific ASNs (Korea Telecom’s AS 4766, India’s National Internet Backbone’s AS 9829, and many others).

The detailed drilldowns also motivate a higher level policy discussion.

Knock one down, two more pop up: Whack-a-mole is fun, but not a solution. Need many more takedowns, oor many more organizations playing. How do we get orgs to do that? …
There is extensive theoretical literature that indicates Continue reading

Upset in Canadian spam rankings: Canaca took first, Bell Canada down to fifth!

Canaca-com’s AS 33139 CANACA-210 rose from sixth place in August to first in September in SpamRankings.net for Canada from CBL data. Long-time winner Bell Canada’s AS 577 BACOM fell from first to fifth.

Two ASNs had big spurts of spam in September. iWeb’s AS 32613 got to second place in the last two weeks of the month. Like in August, IPWorld’s AS 19875 did one big spam spew, but this time it almost doubled its closest competitor, breaking 100,000 messages!

What is making Canada suddenly attractive to spammers?

-jsq

Massive effects of reputational rankings on law schools

Law schools game weak reputation rankings, which could be fixed, if the law schools, the bar association, or the ranking organization wanted to. If anyone doubts that reputational rankings can have massive effects on ranked organizations, read this.

David Segal wrote in the NYTimes 30 April 2011, Law Students Lose the Grant Game as Schools Win:

How hard could a 3.0 be? Really hard, it turned out. That might have been obvious if Golden Gate published a statistic that law schools are loath to share: the number of first-year students who lose their merit scholarships. That figure is not in the literature sent to prospective Golden Gate students or on its Web site.

Why would a school offer more scholarships than it planned to renew?

The short answer is this: to build the best class that money can buy, and with it, prestige. But these grant programs often succeed at the expense of students, who in many cases figure out the perils of the merit scholarship game far too late.

What makes law school rankings so easy to game? Continue reading

The Big Drop: medical to zero in SpamRankings.net

A surprise in the July SpamRankings.net rankings: US medical rankings all went to zero by 14 July. World medical rankings went from hundreds and thousands to near zero between 17 and 24 July.

That’s in rankings from CBL data. PSBL shows much less data for medical organizations, yet nonetheless the same effect in both world and U.S. medical rankings.

No other rankings showed such a drop.

Did medical organizations actually clean up their act? Or did they just manage to whitelist their netblocks at CBL and PSBL?

Either way, it looks like they noticed SpamRankings.net.

-jsq

“botnet herders can add it to its spam-spewing botnet” —Fahmida Y. Rashid in eWeek.com

This reporter spits out a string of alliterative language that labels the problem that SpamRankings.net helps diagnose.

Fahmida Y. Rashid wrote in eWeek.com 8 June 2011, UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers:

“Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose.”
That’s a pretty good explanation for why outbound spam is a proxy for poor infosec.

-jsq

Krebs on SpamRankings.net

Brian Krebs wrote on his blog, Naming & Shaming Sources of Spam:
A new resource for spotlighting organizations that are unwittingly contributing to the global spam problem aims to shame junk email havens into taking more aggressive security measures.

SpamRankings.net is a project launched by the Center for Research in Electronic Commerce at the University of Texas at Austin. Its goal is to identify and call attention to organizations with networks that have been infiltrated by spammers.

Andrew Whinston, the center’s director, said the group initially is focusing on health care providers that appear to be infected with spam bots. “Nobody wants to do business with a bank or hospital or Internet hosting company that has been hijacked by spammers,” Whinston said. “It’s an environment in which user data can be stolen or compromised.”

The rest of his writeup quotes me quite a bit, and everyone knows I’m quite shy, so please go read his blog!

I will add that May data is live now on SpamRankings.net. Also, organizations that do better over time may want to brag, as has happened with a couple of U.S. organizations in May.

Here’s Krebs’ final paragraph:

I applaud this effort, and hope that it gains traction. I remain convinced that the Internet community would benefit from a more comprehensive and centralized approach to measuring badness on the Web. There are many existing efforts to measure reputation and to quantify badness online, but most of those projects seek to enumerate very specific threats (such spam or hacked Web sites) and measure the problem from a limited vantage point. What is lacking is an organization that attempts to collate data collected by these disparate efforts and to publish that information in near real-time.

-jsq