Category Archives: spam

Relizon from nowhere to #3 for Canada in May SpamRankings.net

Relizon Canada Inc.’s AS 40034 RELIZON-CDN jumped from #134 to #3 in the May 2013 SpamRankings.net for Canada All from CBL data. On May Day CBL saw 1 spam message from AS 40034 and more than 3 million on May 31.

Relizon was not visible in the May Canada rankings from PSBL data, although internally we do see AS 40034 going from #208 to #109 by going from 11 spam messages in April to 26 in May. Relizon logo CBL’s heuristics or spam traps or both were apparently much better at detecting this particular spam source.

Relizon’s own website doesn’t seem to be responding at the moment, but Bloomberg Businessweek says they do business process outsourcing solutions, and were formerly known as Crain-Drummond Inc., with the name change coming on acquisition by the Carlyle Group.

-jsq

Canada’s Hospital for Sick Kids stopped spamming

Canada Canada’s The Hospital for Sick Children The Hospital for Sick Children AS 46626 SICKKIDS-AS-01 dropped out of the May 2013 SpamRankings.net for world medical organizations from CBL data. In April they ranked #1 with 21,912 spam messages, April 2013 World Medical SpamRankings.net from CBL Volume and in May they dropped to #27 with only 28 messages. In April they really only spammed for one week, as you can see in the big spike in the graph. Of course, the hospital itself probably didn’t knowingly send the spam; usually they’ve been compromised by botnets or phishing or some other breach, but hospital patients and other customers won’t necessarily know that if they receive some of it. And if their security is lax enough to let in things that emit spam, what else has been compromised? This is why hospitals are quick to squelch outgoing spam and fix the underlying security problems.

-jsq

Zerofail from nowhere to #2 in April and May 2013 SpamRankngs.net for Canada

Zerofail’s AS 40191 AS-PRE2POST-1 jumped from 5 per day April 1st to more than a million spam messages many days in April, and from 413 total in March to almost 22 million in April. That made it #2 in the April 2013 SpamRankings.net for Turkey Canada from CBL data, and Zerofail kept second place in May with more than 18 million spam messages. This AS actually sent proportionally more of top 10 spam from Canada in May than in April because #1 iWeb’s AS 32613 sent a lot less in May. Where does all this Zerofail spam come from?

AS 40191 has six netblocks currently assigned, of which the netblock 173.246.64.0/19 is producing almost all of the spam seen from AS 40191.

-jsq

Medyabim most worsened in Turkey in May SpamRankings.net

Medyabim Internet Services popped into the Turkey Turkish top 10 SpamRankings.net for May 2013, hopping up from #81 to #5. This happened starting about 23 May 2013, probably coincidentally about the same time as the disturbances around Taksim Square in Istanbul.

Previous chronic Turkish spam winner TTNET 9121 made it back to the top, and this time TTNET placed twice, with AS 47331 as #6. Together the two TTNET ASNs sent 49.26% of top 10 Turkish spam for May 2013.

AS 43391 NETDIREKT-TR and AS 42926 RADORETELEKOM battled through the whole month for spots #2 and #3.

In better news, Tamer Gigabitweb Turkey and DorukNet IstanbulTurkey dropped out of the Turkish top 10.

Also new this month are v2 rankings back to January 2013.

-jsq

Spam worming up rapidly –McAfee

Email and spam volume McAfee PR of today, McAfee Quarterly Threat Report Sees Social Media Worm Resurgence as Spam Rises Dramatically: Targeted Attacks Continue Rise; “Pump and Dump” Returns with Record Stock Market Highs

McAfee Labs today released the McAfee Threats Report: First Quarter 2013, which reported a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam. McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).

McAfee Labs found almost three times as many samples of Koobface as were seen in Continue reading

Comcast’s AS 7015 and AS 7922

Comcast shows some of the biggest differences between Version 2 and the old version 1 of SpamRankings.net for April 2013. Comcast is in the U.S. top 10 either way, but with different Autonomous Systems: AS 7922 is #3 in v2 while AS 7015 of Comcast Cable Communications Holdings Inc is #8 in v1 and doesn’t even appear in the v2 top 250.

AS 7015AS 7922netblocks assigned
#3v2 rank
#8#107v1 rank
177234current
106127previous
104107persistent
73127added
220removed

Interesting tidbit from Bloomberg Business Week about Comcast Cable Communications Holdings Inc: Continue reading

Why more spam seen for OVH with v2 rankings than v1?

OVH Systems’ AS 16276 is #1 in the April 2013 SpamRankings.net worldwide from CBL data with 631,539,742 spam message seen according to the new Version 2 of SpamRankings.net, while the same ASN is #3 in the old version 1 rankings with 363,884,989 spam messages seen. Why the difference?

The difference is because Version 2 finds more netblocks assigned to AS 16276. Specifically:

72netblocks currently assigned
27netblocks previously assigned
14netblocks are persistant
58netblocks have been added
13netblocks have been removed

Many more netblocks were found for AS 16276 only by Version 2 than were found only by Version. So the difference in the amount of spam presumably comes from those added netblocks. Yes, we can drill down and see, and we may do that later.

-jsq

Version 2 of SpamRankings.net

The April 2013 rankings include version 2 of the volume compilation method, with precise counts, resulting in slightly different ranking orders.

Top 3, April 2013 World SpamRankings.net from CBL data

For example, OVH, Hanaro, and Strato are the top three in both v1 and v2, but in a different order, in the April 2013 SpamRankings.net worldwide from CBL data.

Initially, we are only pubishing v2 for March and April 2013. In a few weeks we will publish the rest of the historical v2 rankings back to match the same months as the v1 rankings. Old v1 rankings will be kept online indefinitely for comparison, but all new rankings will be v2.

-jsq

Adeox or Tamer

Here’s why we didn’t list a website for AS 42055 TAMER the March SpamRankings.net for TR Turkey from CBL data. Various Autonomous System analysis sites, such as TCPIPUtils.com list numerous domains for this AS: which domain is the main one? Hurricane Electric provides a graphical representation of which other ASNs route to AS 42055, and RobTex provides a graph with AS names as well as numbers. And RobTex provides a couple of clues:

WARNING! 1% (1/100) of the sites on ADEOX Dummy description for (as42055) is pornographic or otherwise sensitive content!

The first clue is that the main organizational name may be Adeox. The second clue is the content warning.

Google warns everyone away:

Continue reading

Anti-Spam Blocklists DDoSed Down

At least three anti-spam blocklists were taken down this week by Distributed Denial of Service (DDoS) attacks: Spamhaus, CBL, and APEWS. The first two are back up; the third is not.

The Composite Blocking List (CBL) currently has this at the top of its home page:

Important Information on Spamhaus/CBL DDOS

Commencing March 19 the CBL was hit by a very large-scale distributed denial of service attack. At the time of writing (March 21, 00:15 UTC) this attack is still ongoing.

Throughout this period the CBL DNSBL has continued to remain available through the CBL mirrors and via Spamhaus XBL (and Zen), and we’ve been doing our utmost to restore the rest.

Access to the lookup/removal page has just been restored.

The CBL rsync facility has been restored.

Email to the CBL is not working yet.

We ask for your patience while we finish restoring the rest of the CBL to service.

SpamRankings.net is receiving CBL data normally again, although yesterday’s is lost.

We never saw any interruption in data from the Passive Spam Block List (PSBL).

Spamhaus says it got a 75Gbps DDoS attack, according to Liam Tung with CSO Online (Australia) today:

Continue reading