Category Archives: Research

Grum down, but… 1 June 2012 – 30 July 2012, SpamRankings.net

Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for SpamRankings.net.

The updated Top 10 Botnets graph has good news and bad news:

Continue reading

Spam from Microsoft’s AS 8075 April 2011-June 2012

As we’ve seen, Microsoft’s AS 8075 is back on top in the June 2012 SpamRankings.net from PSBL data. Actually, AS 8075 is a chronic offender, having been #1 numerous times, often placing in the top 10, and (we can see in internal data) never going below #38:

2011
Apr		MayJunJulAugSepOctNovDec2012
Jan		FebMarAprMayJun
1123410373738821121

Also, CBL does often see spam from AS 8075 at the same time PSBL does, even though CBL has never seen enough spam from that ASN for it to place in the U.S. top 10 from CBL data.

Volume data from PSBL and CBL graphed by SpamRankings.net

Volume data from PSBL and CBL aggregated and interpreted by SpamRankings.net
Graph by John S. Quarterman for SpamRankings.net.

That’s a pretty dense graph, and internally it’s interactive for easy interpretation, but the dark purple line is PSBL volume and the lines with dots are various botnets and the like detected for AS 8075 by CBL. We can drill down to which IP addresses are producing the spam indicated by such rankings and graphs.

The main point is even mighty Microsoft often emits spam. Any big corporation is likely to have similar problems, because, like in the case of medical organizations, they’re likely to have some employees who will fall for phishing or other exploits. Even the most Internet-security-savvy organization can’t catch them all. SpamRankings.net can help with that, both by providing incentive (do you want your organization to be at the top of the rankings?) and by providing drilldowns to help localize the problem (so you can fix it and brag about dropping off the rankings).

-jsq

Grum and other botnets, 1 June 2012 – 19 July 2012, SpamRankings.net

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for SpamRankings.net from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading

Microsoft back on top in June SpamRankings.net

1 (2) AS 8075 MICROSOFT-CORP—MSN-AS-BLOCK
2 (1) AS 36692 OPENDNS
3 (-) AS 26769 BANDCON
4 (-) AS 22414 CRAIGS-NET-1
5 (-) AS 22822 LLNW
6 (-) AS 10912 INTERNAP-BLK

Beating even OPENDNS, Microsoft took #1 in U.S. PSBL June 2012 rankings.

Microsoft was last on top in the same rankings for April 2012. I thought Microsoft was a leader in Internet security?

In other news, Bell Canada’s AS 577 BACOM actually dropping off the Canadian June 2012 rankings from CBL data. Shaw took #1 and Iweb dropped to #2.

We have a new medical winner! It’s Hartford Hospital’s AS 11047 HHCC-ASN1. Gaining altitude at the end of the month was Joan and Sanford I. Weill Medical College and Graduate School of Medical Sciences of Cornell University with AS 20252 JSIWMC.

More on those and other developments in later blog posts.

-jsq

 

Almost… FortressITX zero spam for one day then up in SpamRankings.net

AS 25653 FortressITX went to zero for one day, 15 May, in the May 2012  U.S. SpamRankings.net, but bounded back up to more than 294,000 spam messages a day a week later, placing #6 for the month as a whole.

This was the second time FortressITX made the U.S. top 10. It had been #9 in March, but had dropped out of the April 2012 U.S. rankings. And yes, it’s snowshoe spam. That ASN does show a few other problems, also not botnets.

-jsq

Cleveland Clinic wins one way, then another, in SpamRankings.net

1(4)AS 22093 CCF-NETWORKUnited States US
2(-)AS 27609 USC-UNIVERSITY-HOSPITALUnited States US
3(1)AS 25611 NSLIJHSUnited States US
4(-)AS 19335 APRIA-HEALTHCAREUnited States US
5(2)AS 9208 WINBelgium BE
6(7)AS 122 U-PGH-NET-ASUnited States US
Cleveland Clinic took #1 in the May 2012 worldwide medical SpamRankings.net. So Cleveland Clinic’s AS 22093 won the worldwide medical rankings by spamming the most of any medical organization worldwide, as found in CBL blocklist data. Boo Cleveland Clinic!

Yet AS 22093 CCF-NETWORK dropped like a rock on 7 May 2012, going to zero the next day, and staying there. So Cleveland Clinic also was most improved for May 2012 medical organizations. Congratulations, Cleveland Clinic!

This feat of IT security cleanliness shouldn’t have been hard for CCF, since AS 22093 CCF-NETWORK seems to have had a Lethic problem, which CBL saw on no more than 3 hosts. Sure, there could have been more hosts infected than that, and CBL just might not have seen them all. But 3 is far smaller than what CBL sees for a typical botnet infection, so the number of infected hosts probably was quite small. Which means it should have been easy for CCF to find them all and fix them.

Hm, maybe being #4 last month gave CCF some incentive?

-jsq

Canada, land of spam plateaus on SpamRankings.net

Snowshoe spam took #1 in Canada again, through AS 32613 IWEB-AS, on the May 2012 SpamRankings.net. That was the first week of a spam plateau per ASN. The next week saw a platau for AS 33139 CANACA-210. And the next week it was AS 6407 PRIMUS. Canada, land of spam plateaus! Does this mean spammers are shifting from ASN to ASN for successive weeks of spam campaigns?

The old-time winners, AS 6327 SHAW and AS 577 BACOM, kept spamming away, and came in #2 and #6 again. That’s in the rankings from CBL data. In rankings from PSBL data, IWEB, SHAW, and BACOM were #1, #2, and #3.

We actually saw less spam in May (CBL data) from Bell Canada’s BACOM than for any month since March 2011, the first month of rankings for SpamRankings.net. Congratulations Bell Canada!

The rest of the top six were upstarts, not much seen until recently. Iweb did make a bid for the top back in September 2011, but its recent predominance dates only from February of this year.

-jsq

SuperOnline dropped off May 2012 Turkey top 10 SpamRankings.net

Congratulations to Turkcell SuperOnline‘s AS 34104 GLOBAL 64,658 for dropping off of the top 10 spamming ASN’s for Turkey in the May 2012 SpamRankings.net!

It was replaced in the Turkish top 10 by academic network ULAKNET‘s AS 8517, which had previously dropped off the April rankings.

Perpetual winner and still champion for spewing spam from Turkey is TTNET‘s AS 9121, accounting for almost 3/4 of all spam seen from Turkey seen by CBL. SpamRankings.net saw about the same proportion of Turkish spam coming from TTNET in data from PSBL.

-jsq

Stone Internet Services’ AS 39234 dropped like a rock in May 2012 SpamRankings.net

Some good news for Belgium! Stone Internet Services’ AS 39234 decreased spamming by 95% in May 2012, dropping from 8,212 on May Day to 321 on 28 May.

In the other direction, Brutele’s AS 12392 went from 2,220 on 3 May to 6,207 on 30 May, an increase of 279%.

And Uganda Telecom’s AS 21491 started up like a rocket at the end of the month, going from 1,046 on 26 May to 4,213 on 31 May, a 300% increase.

Now all these numbers are just samples by CBL, hints and whispers of the total amount of spam flying around the net. But when the curves move that fast, usually something is going on.

-jsq

CDM snowshoes to the top of the world in May 2012 SpamRankings.net

In addition to snowshoe spam taking 7 of the top 10 U.S. SpamRankings.net for May 2012, one of the snowshoe spamming companies, CDM, outspammed every other organization in the world! CDM’s AS 6428 outspammed even chronic world winner Vietnam PT.

In this graph, you can see CDM leap up from zero in March to 15.7 million spam messages in April and 48.8 million in May, and of course that’s just the messages caught by a few spamtraps.

The same spamtraps never saw more than 56 hosts sending all those messages. That was on 11 May 2012, when they saw 1,989,762 spam messages, for a ratio of 35,531 spam messages per sending host. That’s not exactly the old botnet low-and-slow technique. Snowshoe spam: it’s already in prime time!

And remember, CDM is not a hosting center: it’s an ISP. CDM continues to illustrate that snowshoe spam is no longer confined to the traditional profile of infesting hosting centers.

-jsq