Tag Archives: blocklist

What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:

Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three: Continue reading →

Did the February 2012 spam surge come from one botnet?

SpamRankings.net saw

AS 21788	NOC
AS 27229	WEBHOST-ASN1
AS 46475	LIMESTONENETWORKS
AS 33055	BCC-65-182-96-0-PHX
AS 15149	EZZI-101-BGP
AS 13768	PEER1
AS 10439	CARINET
AS 7796	ATMLINK

a huge surge in spam from some U.S. ASNs, mostly from ones that hadn’t even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?

Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:

Left Axis: ASN volume (spam messages); Right Axis: Botnet volume (dotted curves)

The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.

AS 21788 NOC was one of the first and worst affected by this spam surge: Continue reading →

The Big Drop: medical to zero in SpamRankings.net

A surprise in the July SpamRankings.net rankings: US medical rankings all went to zero by 14 July. World medical rankings went from hundreds and thousands to near zero between 17 and 24 July.

That’s in rankings from CBL data. PSBL shows much less data for medical organizations, yet nonetheless the same effect in both world and U.S. medical rankings.

No other rankings showed such a drop.

Did medical organizations actually clean up their act? Or did they just manage to whitelist their netblocks at CBL and PSBL?

Either way, it looks like they noticed SpamRankings.net.

-jsq

3FN + FTC = Some Less Spam From Some ASNs

A research project I’m assisting at the University of Texas at Austin notes that:

On Tuesday 2 June 2009, the U.S. Federal Trade Commission (FTC) took legal steps that shut down the web hosting provider Triple Fiber network (3FN.net).

Looking at Autonomous Systems (ASNs) listed in the spam blocklist CBL, Continue reading →

VZ Port 587: Good Try

Back in February, Verizon announced it would start requiring outbound mail go through port 587 instead of port 25 during the next few months. It seemed like a good idea to squelch spam. Most other major ISPs did it. People applauded Verizon for doing it.

Unfortunately, it seems that if it had any effect it was short-lived. Looking at anti-spam blocklists on a daily basis, a couple of Verizon Autonomous Systems (ASes), AS-19262 and AS-701, do show dips in blocklist listings on the blocklist PSBL in March. But they don’t last.

Spammers are very adaptable, partly because the botnets they use are adaptable. Good try, Verizon.

This information is from an NSF-funded academic research project at the University of Texas at Austin business school. Thanks to PSBL for the blocklist data.