Congratulations to Belgacom, Mobistar,
Uganda-Telecom
and BASE Belgium for improving in the
September 2012
for
Belgium from CBL data!
But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month?
And what about Teledis, which is worse over the whole month, but better at the end?
For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:
Continue reading
More than two-thirds top-10 Turkish spam came from KOCNET
in
September 2012
for
Turkey from CBL data.
KOCNET’s 68.5% is about the same as its
68.7% for August
and
more than
TTNET’s 65.2% for July
but still not quite up to
TTNET’s record of 78.3% in June.
However, in June TTNET only spammed 6,362,167 messages (as seen in the CBL data),
while KOCNET spammed 28,937,997 in September,
which beats TTNET’s maximum messages a month in
July 2011.
-jsq
Winner and new champion: Global Crossing’s AS 3549 GBLX!
GBLX won the
September 2012
with
almost half of all the spam from the top 10 seen in the CBL data
and
more than a third seen from PSBL.
What accounts for this surge of U.S. spammy ASNs?
Yep, it’s Festi for #1 GBLX,
#2 AS 17184 ATL-CBEYOND,
for #3 AS 7018 ATT-INTERNET4,
#8 AS 7385 INTEGRATELECOM
and
#10 AS 1239 SPRINTLINK.
Congratulations AT&T for making the list!
Well, not really congratulations, since it means you let a lot of
outbound spam out.
However, it’s Lethic for #4 AS 8047 GCI, #5 AS 22258 COMCAST-22258, and #6 AS 20115 CHARTER-NET-HKY-NC.
AS 3549 GBLX may have already peaked.
AS 19529 RAZOR-PHL went up like a rocket at the end of the month!
Will they swap ranks next month?
And what’s driving RAZOR-PHL to the top?
Hint: it’s the same as for #9 AS 25653 FORTRESSITX.
Stay tuned!
-jsq
In Finland, some ISPs proactively detect spamming botnets and do something about it.
A small company that does computer maintenance,
“HS-Works Oy” located in Helsinki,
Finland,
received a computer from a customer that needed to be fixed since it
was acting slow.
HS-Works personnel hooked up the malfunctioning computer to the
company’s switch to gain Internet access and so they could control it over
their LAN.
After the computer was through the LAN to the Internet for a while, the
local ISP (Sonera)
realized someone from HS-Works was connecting to a known botnet
and acting in possibly malicious way.
So what did the ISP do?
The solution was rigid: they closed the Internet connection from HS-works and informed the company via an SMS message that there had been illicit or malicious connections originating from their IP address and the connection would remain closed until the problem was solved. All web traffic was directed to the ISP’s “Access blocked” page, which offers a link to a free 30-day trial of Sonera Internet Security package (F-Secure software branded under Sonera name).
Network access would be returned after the infected host was fixed or removed from the network. The company raised their firewalls to a more strict level and got the Internet access back on the same day.
How about Finland’s ranking in spam listings in general and the rest of the big Finnish ISP policies on spam? Stay tuned, more information about these on the next post!
-Sami Sainio
Data storage issues led to loss of some incoming data for the September 2012
SpamRankings.net.
Interestingly, the results seem almost normal anyway.
Here is a speculation on why that can be.
Look just under any rankings chart for September 2012 and you’ll see this notice:
CBL dropouts 8,11 September 2012 were on our end.
PSBL data is unusable 4-15 Sep 2012 due to problems on our end.
| 1 | (2) | AS 9829 BSNL-NIB |  IN |
| 2 | (1) | AS 25019 SAUDINETSTC-AS |  SA |
| 3 | (5) | AS 6147 SAA |  PE |
| 4 | (3) | AS 8386 KOCNET | TR |
| 5 | (4) | AS 7643 VNPT-AS-VN |  VN |
| 6 | (-) | AS 9050 ROMTELECOM |  RO |
The source of the problem was embarassingly simple and easily fixed: not enough inodes. The CBL and PSBL data were affected differently because they arrive differently. We pick up from CBL daily a text summary table with a line per IP address. We get from PSBL an NNTP feed of spam messages, each in its own file, that we boil down to a summary. So for CBL, we either got the whole file (most days of the month), or we didn’t store it at all (8 and 11 September). For PSBL, for each incoming message, we either stored it or we didn’t. Which is why there are some days with PSBL data between 4 and 15 Sep, but the volume is lower than usual. The notice below the chart is dire because we prefer to be conservative about these things.
Yet the PSBL rankings show AS 9829 BSNL-NIB #1 worldwide just like Continue reading
India's BSNL-NIB beat
Saudi Arabia's Saudinetstc for worst spamming organization in the world
in the
September 2012
,
and pushing India
to the top of the
world country rankings.
ASNs in Saudi Arabia,
Turkey,
and
Vietnam
got better, but India,
Peru,
and
Romania,
picked up the slack.
Is this more Festi festering in new ASNs in new countries?
Stay tuned!
-jsq
There was a dip in volume from the top 20 Festi-infested ASNs starting about 15 July 2012, bottoming out 21 July 2012, except one region’s ASNs did not dip.
The three Latin American ASNs in the Festi botnet top 20 spammers did not dip:
Those are the only three LACNIC ASNs in the top 20 ASNs for Festi. Perhaps NIC policies matter? Or maybe it’s something in regional national infosec policies? It could still be national infosec policies, but why were all the other big Brazilian ASNs not Festi-infested?
But wait! Two others also did not dip:
Continue readingHere’s another reputational rankings initiative, about something we all encounter whenever we use a new service on the web.
According to Terms of Service; Didn’t Read (TOS;DR),
“I have read and agree to the Terms” is the biggest lie on the web. We aim to fix that.
We are a user rights initiative to rate and label website terms & privacy policies, from very good Class A to very bad Class E
They’ve got a bit of press, such as on Lifehacker Australia and this one by Jason Gilbert on Huffington Post 10 August 2012, ToS;DR Explains Those Ridiculous Terms Of Service You Agreed To
Quick: If the government asks Facebook for information from your account, does Facebook have to inform you of the request? If you delete your Twitter account, does Twitter still own the content of your tweets? Can Google appropriate your content for use on its other services without notifying you or asking your permission?
You probably don’t know the answer to these three questions off the top of your head, but you did claim to know the answers when you agreed to the respective Terms of Service (ToS) agreements upon signing up for these three popular websites. Facebook doesn’t have to inform you of government requests; Twitter will own your tweets after you deactivate; Google can use any of your content; and you signed off on all three by consenting to the ToS.
The article also gets to the main point:
Continue reading
Saturday I presented
Reputation as Public Policy for Internet Security
at the 40th Telecommunications Research Policy Conference (TPRC)
hosted by George Mason University School of Law, Arlington, VA.
Attendees seemed to appreciate our efforts to deal with
heteroskedasticity with a wild cluster bootstrap-t procedure.
The presentation, along with the abstract and the paper,
are available
from the SpamRankings.net website.
Blog readers will notice the TPRC presentation
excerpted
Grum botnet is staging a comeback
and extended
Festi botnet infesting the world, July 2012
as well as making use of the
numerous medical posts,
while attempting to pull that and other material together
in aid of motivating and describing the intended field experiments
and their potential policy implications.
As Prof. Andrew B. Whinston said
to Network World a couple of months ago:
We’re not trying to solve the spam issue. We’re trying to deal with the broader issue of whether companies should publicly report security issues.
-jsq
We’ve already looked at
TTNET,
which
pushed 
Turkey to the top of the spamming world in July 2012,
and
KOCNET, ditto in August.
What about other Turkish ASNs?
The next five are
AS 12735 ASTURKNET,
AS 12978 DOGAN-ONLINE,
AS 16135 TURKCELL,
AS 29179 KIBRISONLINE-AS,
and
AS 8517 ULAKNET,
in the August 
from both
CBL
and
PSBL data.
You guessed it: they’re all infested with Festi botnet, too.
Festi Turkish top 7-2 June-August 2012 SpamRankings.net CBL data
Graph by John S. Quarterman for SpamRankings.net.
-jsq