Category Archives: SpamRankings.net

Medical churn in December 2012 SpamRankings.net

Good (Konkuk), improving (Cornell), and bad (eHealth) in the December 2012 country medical SpamRankings.net.

First the good news: Konkuk University Hospital went from 297 spam messages last month to zero in December 2012, removing Korea Korea from the country medical rankings. Children’s Hospital & Health System and THE GOOD SAMARITAN HOSPITAL OF LEBANON PENNSYLVANIA also went to zero, and Yale-New Haven Health Services Corporation and Sutter Health dropped enough to fall out of the world top 10 medical ASNs emitting spam in SpamRankings.net.

Now the apparently bad news that turned good. Continue reading

A Field Quasi-Experiment @ ICIS 2012

Project participant Qian Tang presented at ICIS 2012 in Orlando, FL, 14 December 2012, a paper about comparisons of eight countries, in pairs, one of each pair ranked on SpamRankings.net and the other not. Statistical results indicate the rankings changed organizational spamming behavior.

Qian Tang, Leigh Linden, John S. Quarterman, and Andrew Whinston, Reputation as Public Policy for Internet Security: A Field Quasi-Experiment,

Abstract: Cybersecurity is a national priority in this big data era. Because of the lack of incentives and the existence of negative externality, companies often underinvest in addressing security risks and accidents, despite government and industry recommendations. In the present article, we propose a method that utilizes reputation through information disclosure to motivate companies to behave pro-socially, improving their Internet security. Using outbound spam as a proxy for Internet security, we conducted a quasi-experimental field study for eight countries through SpamRankings.net. This outgoing-spam-based study shows that information disclosure on outgoing spam can help reduce outgoing spam, approximately by 16 percent. This finding suggests that information disclosure can be leveraged to encourage companies to reduce security threats. It also provides support for public policies that require mandatory reporting from organizations and offers implications for evaluating and executing such policies.

What is ICIS 2012?

Continue reading

Vital Turkey, November 2012 SpamRankings.net

November 2012 Turkey SpamRankings.net from CBL data Even while spamming a lot less, AS 44565 VITAL still placed #1 again for spewing spam from Turkey Turkey in the November 2012 SpamRankings.net from CBL data. Even as Vital got a handle on its Kelihos problem, AS 8386 KOCNET improved twice. Maybe KOCNET is finally getting a grip on its Festi problem. KOCNET’s peak of 0.8 million messages in November is a lot less than its peak of 1.3 million in September, although still far too many.

-jsq

OVH: Kelihos or darkmailer? November 2012 SpamRankings.net

OVH won again, more than doubling its spam spew of last month! This is in the November 2012 November 2012 Belgium SpamRankings.net from CBL data SpamRankings.net from CBL data. Is that 407,726,779 spam messages in a single month a record? Last month it was Kelihos. This month it looks like darkmailer.

-jsq

Turkey and Kelihos botnet rampage, October 2012 SpamRankings.net

Turkey Turkey, like Belgium, Canada, U.S., and the world, has a Kelihos rampage problem in October 2012 Turkey SpamRankings.net from CBL data SpamRankings.net from CBL data for October 2012.

New Turkish #1 spammer AS 44565 VITAL TEKNOLOJI shows all the signs: rapidly increasing spamming and both Maazben and Kelihos botnets.

AS 44565 VITAL TEKNOLOJI

The other new Turkish top 10 ASNs, AS 42868 NIOBE AS 44922 MEDYABIM-AS, AS 12599 ATLAS-AS AS 49632 DATATELEKOM and AS 12987 OMURGA, all show lesser but still distinctive signs of the Kelihos rampage, namely Maazben botnet plus other unknown botnets. They all also only surged for a week or two, while Vital continued upwards.

-jsq

Belgium has a Kelihos problem in October 2012 SpamRankings.net

Belgium Belgium has a Kelihos problem in October 2012 Belgium SpamRankings.net from CBL data October 2012 Belgium SpamRankings.net from CBL data from CBL data for October 2012. #1 Mobistar’s AS 12493 and #2 Telenet’s AS 6848 were spewing spam from Kelihos, pushing all the other ASNs down the rankings. Kelihos rampage: it’s not just for north America!

Belgium top botnets October 2012 SpamRankings.net

A few other botnets have a bit of Kelihos, but only the top 2 for Belgium are part of the Kelihos rampage. (Newcomer AS 9031 EDPNET has a Cutwail problem.)

-jsq

Canada and Kelihos in October 2012 SpamRankings.net

The Canada Canadian top 10 were half the same as last month and half due to Kelihos October 2012 Canada SpamRankings.net from CBL data in the SpamRankings.net from CBL data for October 2012. Canadian #1 iWeb (CBL; #10 PSBL) made it into the world CBL top 10 because of Kelihos. The rankings from PSBL data October 2012 Canada SpamRankings.net from PSBL data were much closer to the CBL ones for Canada than was the case for the U.S. or for the world.

In this logarithmic chart you can see #3 AS 6327 SHAW, #7 AS 577 BACOM, #9 AS 855 CANET-ASN-4, and #10 AS 6407 PRIMUS-AS6407, the only Canadian ASNs that improved their CBL rank for October, going almost straight across the middle, decreasing towards the end of the month.

top 10 logarithmic Canada October 2012 CBL SpamRankings.net

Three of those relatively static four also were infested with Kelihos. (The fourth, AS 6407 Primus, had a Lethic problem.)

Static 4 Canada October 2012 CBL SpamRankings.net

While 25,000 spam messages a day, as seen by CBL for AS 6327 Shaw, is quite a sneeze, it’s not much Continue reading

Kelihos and Maazben botnets in U.S. October 2012 SpamRankings.net

We’ve seen that botnets Kelihos and Maazben account for most of the spam seen from the entirely-new worldwide top 10 in the October 2012 Kelihos rampage. What about a specific country? The October 2012 U.S. SpamRankings.net from CBL data U.S. top 10 SpamRankings.net are also entirely new (since last month): are all those U.S. ASNs ranked like that because of the Kelihos rampage? Two clues indicate yes: the shapes of the U.S. curves are very similar to those of the worldwide rankings, and the U.S. top 3 are in the worldwide top 10. But what about the rest of the U.S. top 10? Let’s drill down to botnets in U.S. October 2012 SpamRankings.net from CBL data:

Botnets in U.S. October 2012 SpamRankings.net from CBL data

We can see 9 out of the U.S. top 10 are there mostly because of Maazben or Kelihos, often alternating for the same ASN, in the same pattern as for the worldwide top 10. So yes, 9 are in the U.S. top 10 because of the Kelihos rampage.

The one exception is Continue reading

Why no kelihos rampage in PSBL October 2012 SpamRankings.net?

Why do the PSBL Volume October 2012 SpamRankings.net rankings from PSBL data not look much like the October 2012 rankings from CBL data in SpamRankings.net? Apparently because PSBL does not use the heuristic that CBL uses that catches the few IP addresses that are spewing hundreds of thousands or millions of spam messages a day. Is this lack of correspondence between the CBL and PSBL rankings a problem?

What would be the point of having multiple rankings if they always showed the same results? CBL Volume October 2012 SpamRankings.net But these are very different results: none of the CBL top 10 show up in the PSBL top 10! How can both the PSBL and CBL rankings be correct?

  1. First, “correct” for such rankings does not mean completely accurate and it does not mean completely precise: no blocklist will ever detect every spam message emitted by every IP address. Suppose even mighty NSA (No Such Agency) were to copy every bit that passed over every major ISP in the U.S. Even that would miss some bits emitted by for example an ISP in Vietnam that spammed an ISP in India. And what heuristics would mighty NSA use to detect all the spam from all those bits? Would those heuristics happen to include the same one CBL is using to detect the Kelihos rampage? Would they include some further heuristic of which CBL has not yet thought that would detect some other rampage? Quite possibly yes and yes. Any rankings of anything on the Internet are always approximate records of hints and whispers of a constantly-shifting reality that can never be completely pinned down.
  2. Second, correct for rankings means comparable among the ASNs ranked, so that they can be ranked. In that sense, yes, both the PSBL and CBL rankings are correct: they merely show different aspects of the spam symptom of defective infosec for the ranked ASNs.
  3. Third, any systematically ranked symptom of poor infosec is important. Does any organization want any of its hosts to be spewing hundreds of thousands of spam messages a day, as in those ASNs in the CBL top 10? Does any organization want any of its hosts to be spewing enough spam in aggregate to turn up in the PSBL top 10? Probably not.
Besides, actually the CBL data does corroborate the PSBL data, when viewed in another set of rankings. Continue reading

Kelihos and Maazben botnets in October 2012 SpamRankings.net

Let's look at the botnets associated with the Kelihos rampage in the October 2012 SpamRankings.net. Two botnets turn up the most Maazben and Kelihos. Why call it the Kelihos rampage, then?

World Top 10 and botnets

Because CBL's detection of each botnet depends on numerous continually-evolving heuristics, and in this case the same one is being triggered for both Maazen and Kelihos, and CBL thinks that particular heuristic is more characteristic of Kelihos.

The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems:

Continue reading