Twin Kelihos infections in twin countries!
Canada
in both
CBL
and
PSBL
rankings shows
tandem spam volume curves for
Bell Canada‘s
AS577 BACOM
and for
Shaw Communications
AS6327 SHAW.
Meanwhile,
Belgium
in both
CBL
and
PSBL
rankings
shows tandem curves for
Brutele‘s
AS12392 ASBRUTELE
and for
Belgacom‘s
AS5432 BELGACOM-SKYNET-AS.
This is not a coincidence, since all four networks show Kelihos infections in the CBL data.
-jsq
Relizon Canada Inc.’s
AS 40034 RELIZON-CDN
jumped from #134 to #3 in the
May 2013
for Canada All from CBL data.
On May Day CBL saw 1 spam message from AS 40034 and more than 3 million
on May 31.
Relizon was not visible in the
May Canada rankings from PSBL data,
although internally we do see AS 40034 going from #208 to #109
by going from 11 spam messages in April to 26 in May.
CBL’s heuristics or spam traps or both were apparently much better
at detecting this particular spam source.
Relizon’s own website doesn’t seem to be responding at the moment, but Bloomberg Businessweek says they do business process outsourcing solutions, and were formerly known as Crain-Drummond Inc., with the name change coming on acquisition by the Carlyle Group.
-jsq
Canada’s
The Hospital for Sick Children
AS 46626 SICKKIDS-AS-01
dropped out of the
May 2013
for world medical organizations from CBL data.
In
April they ranked #1 with 21,912 spam messages,
and in May they dropped to #27 with only 28 messages.
In April they really only spammed for one week, as you can see
in the big spike in the graph.
Of course, the hospital itself probably didn’t knowingly send the spam;
usually they’ve been compromised by botnets or phishing or some other breach,
but hospital patients and other customers won’t necessarily know that
if they receive some of it.
And if their security is lax enough to let in things that emit spam,
what else has been compromised?
This is why hospitals are quick to squelch outgoing spam and fix
the underlying security problems.
-jsq
Zerofail’s AS 40191 AS-PRE2POST-1
jumped from 5 per day April 1st to
more than a million spam messages many days in April, and from
413 total in March to almost 22 million in April.
That made it
#2 in the April 2013
for
Canada from CBL data,
and Zerofail kept
second place in May with
more than 18 million spam messages.
This AS actually sent proportionally more of top 10 spam from Canada
in May than in April because #1 iWeb’s AS 32613 sent a lot less in May.
Where does all this Zerofail spam come from?
AS 40191 has six netblocks currently assigned, of which
the netblock 173.246.64.0/19 is producing almost all of the
spam seen from AS 40191.
-jsq
It’s apparently Darkmailer2 month in Canada.
One company got a grip on it, and two got much worse,
in the
December 2012
for
Canada.
AS 7788 MAGMA-COMM,
bought in 2004
by
PRIMUS Telecommunications Group,
peaked in the second week and then got a grip on its darkmailer2 spamming.
AS 11342 PATHWAY
really gave
AS 32613 IWEB-AS a run for its money;
both seem to have a darkmailer2 problem.
Pathway went from 2,871 spam messages seen by CBL in November 2012
to 21,593,775 in December 2012:
that’s 7,521 times.
However, iWeb once again won the spam-spewing month in Canada!
Congratulations to the four dropouts, especially AS 16532 ASB2B2C, which Continue reading
The
Canadian top 10
were half the same as last month and half due to Kelihos
in the
from CBL data
for October 2012.
Canadian #1 iWeb (CBL; #10 PSBL)
made it into
the world CBL top 10
because of Kelihos.
The
rankings from PSBL data
were much closer to the CBL ones for Canada
than was the case for
the U.S.
or for
the world.
In this logarithmic chart you can see #3 AS 6327 SHAW, #7 AS 577 BACOM, #9 AS 855 CANET-ASN-4, and #10 AS 6407 PRIMUS-AS6407, the only Canadian ASNs that improved their CBL rank for October, going almost straight across the middle, decreasing towards the end of the month.
Three of those relatively static four also were infested with Kelihos. (The fourth, AS 6407 Primus, had a Lethic problem.)
While 25,000 spam messages a day, as seen by CBL for AS 6327 Shaw, is quite a sneeze, it’s not much Continue reading
Joining the
festival of the Festi botnet,
eHealth Ontario’s
AS 21992 SSHA-ONE-ASN
made #1 in the
July 2012 worldwide medical spam SpamRankings.net from CBL data,
the first Canadian organization to do that.
The same ASN did make #2 back in
November 2011
and #5 in
June 2011.
| 2011 Mar |
Apr | May | Jun | Jul | Aug | Sep | Oct | Nov | Dec | 2012 Jan |
Feb | Mar | Apr | May | Jun | Jul | |
| 9 | 7 | 41 | 5 | 6 | 41 | 6 | 5 | 2 | 7 | 41 | 43 | 42 | 41 | 41 | 6 | 1 |
The blue dotted line indicates spam from Festi, which, as you can see, tracks pretty closely with total spam seen from AS 21992.
Is it a Festi epidemic?
-jsq
Snowshoe spam took #1 in Canada again, through AS 32613 IWEB-AS,
on the
May 2012 SpamRankings.net.
That was the first week of a spam plateau per ASN.
The next week saw a platau for AS 33139 CANACA-210.
And the next week it was AS 6407 PRIMUS.
Canada, land of spam plateaus!
Does this mean spammers are shifting from ASN to ASN for successive
weeks of spam campaigns?
The old-time winners, AS 6327 SHAW and AS 577 BACOM, kept spamming
away, and came in #2 and #6 again.
That’s in the
rankings from CBL data.
In
rankings from PSBL data,
IWEB, SHAW, and BACOM were #1, #2, and #3.
We actually saw less spam in May (CBL data) from Bell Canada’s BACOM
than for any month since March 2011, the first month of rankings for SpamRankings.net.
Congratulations Bell Canada!
The rest of the top six were upstarts, not much seen until recently. Iweb did make a bid for the top back in September 2011, but its recent predominance dates only from February of this year.
-jsq
Snowshoe spamming begins to look like a rising tide.
Peaking at the end of March 2012, the Ogee snowshoe spam winner is AS 16226 GNAXNET-AS – Global Net Access LLC. GNAXNet actually placed another Autonomous System in the same time frame, AS 3595.
U.S. Brinkster’s AS 33055 BCC-65-182-96-0-PHX finally cleaned up its act and went to zero Ogee volume 11 April 2012. Canada’s AS 32613 IWeb also went to zero on 23 March 2012.
On the other hand, it looks like a new surge of snowshoe spam is starting mid-April, including some organizations maybe not usually considered hosting companies, such as 
Cogent’s AS 174.
Meanwhile, 
Belarus’ AS 6697 BELPAK-AS already went from #7 to #5 worldwide in March, pushing Belarus up from #16 to #12 among countries.
And NOC’s AS 21788 keeps on rolling waves of snowshoe spam.
All these volume numbers and rankings are provisional, especially considering we’re seeing so many ASes and netblocks that were previously not spamming that we’re tuning our database to be sure we’re properly accounting for them all.
Nonetheless, it looks like snowshoe may be a rising spamming strategy.
-jsq
AS 32613 IWEB-AS was far ahead of the Canadian spamming pack in the March 2012 SpamRankings.net. iWeb improved a lot towards the end of the month, but will it stay improved? AS 14366 MTNCABLE plateaued early, dropped, then took first at the end of the month. Could they have the same problem?
Why yes, both iWeb and MTNCABLE appear to be infested by Ogee snowshoe spamming.
This problem is bad enough that Canada rose from country #46 in January to #34 in February and #25 in March. You can’t see that on the countries top 10, like you can for the U.S., which snowshoe spamming pushed to #1 worldwide in March, but internally SpamRankings.net keeps track of rankings of all countries worldwide, and indeed Canada went form #46 in January to #25 in March.
-jsq