Tag Archives: CBL

Relizon from nowhere to #3 for Canada in May SpamRankings.net

Relizon Canada Inc.’s AS 40034 RELIZON-CDN jumped from #134 to #3 in the May 2013 SpamRankings.net for Canada All from CBL data. On May Day CBL saw 1 spam message from AS 40034 and more than 3 million on May 31.

Relizon was not visible in the May Canada rankings from PSBL data, although internally we do see AS 40034 going from #208 to #109 by going from 11 spam messages in April to 26 in May. Relizon logo CBL’s heuristics or spam traps or both were apparently much better at detecting this particular spam source.

Relizon’s own website doesn’t seem to be responding at the moment, but Bloomberg Businessweek says they do business process outsourcing solutions, and were formerly known as Crain-Drummond Inc., with the name change coming on acquisition by the Carlyle Group.

-jsq

Anti-Spam Blocklists DDoSed Down

At least three anti-spam blocklists were taken down this week by Distributed Denial of Service (DDoS) attacks: Spamhaus, CBL, and APEWS. The first two are back up; the third is not.

The Composite Blocking List (CBL) currently has this at the top of its home page:

Important Information on Spamhaus/CBL DDOS

Commencing March 19 the CBL was hit by a very large-scale distributed denial of service attack. At the time of writing (March 21, 00:15 UTC) this attack is still ongoing.

Throughout this period the CBL DNSBL has continued to remain available through the CBL mirrors and via Spamhaus XBL (and Zen), and we’ve been doing our utmost to restore the rest.

Access to the lookup/removal page has just been restored.

The CBL rsync facility has been restored.

Email to the CBL is not working yet.

We ask for your patience while we finish restoring the rest of the CBL to service.

SpamRankings.net is receiving CBL data normally again, although yesterday’s is lost.

We never saw any interruption in data from the Passive Spam Block List (PSBL).

Spamhaus says it got a 75Gbps DDoS attack, according to Liam Tung with CSO Online (Australia) today:

Continue reading

Why no kelihos rampage in PSBL October 2012 SpamRankings.net?

Why do the PSBL Volume October 2012 SpamRankings.net rankings from PSBL data not look much like the October 2012 rankings from CBL data in SpamRankings.net? Apparently because PSBL does not use the heuristic that CBL uses that catches the few IP addresses that are spewing hundreds of thousands or millions of spam messages a day. Is this lack of correspondence between the CBL and PSBL rankings a problem?

What would be the point of having multiple rankings if they always showed the same results? CBL Volume October 2012 SpamRankings.net But these are very different results: none of the CBL top 10 show up in the PSBL top 10! How can both the PSBL and CBL rankings be correct?

  1. First, “correct” for such rankings does not mean completely accurate and it does not mean completely precise: no blocklist will ever detect every spam message emitted by every IP address. Suppose even mighty NSA (No Such Agency) were to copy every bit that passed over every major ISP in the U.S. Even that would miss some bits emitted by for example an ISP in Vietnam that spammed an ISP in India. And what heuristics would mighty NSA use to detect all the spam from all those bits? Would those heuristics happen to include the same one CBL is using to detect the Kelihos rampage? Would they include some further heuristic of which CBL has not yet thought that would detect some other rampage? Quite possibly yes and yes. Any rankings of anything on the Internet are always approximate records of hints and whispers of a constantly-shifting reality that can never be completely pinned down.
  2. Second, correct for rankings means comparable among the ASNs ranked, so that they can be ranked. In that sense, yes, both the PSBL and CBL rankings are correct: they merely show different aspects of the spam symptom of defective infosec for the ranked ASNs.
  3. Third, any systematically ranked symptom of poor infosec is important. Does any organization want any of its hosts to be spewing hundreds of thousands of spam messages a day, as in those ASNs in the CBL top 10? Does any organization want any of its hosts to be spewing enough spam in aggregate to turn up in the PSBL top 10? Probably not.
Besides, actually the CBL data does corroborate the PSBL data, when viewed in another set of rankings. Continue reading

Data storage issues in SpamRankings.net

Data storage issues led to loss of some incoming data for the September 2012 SpamRankings.net. Interestingly, the results seem almost normal anyway. Here is a speculation on why that can be.

Look just under any rankings chart for September 2012 and you’ll see this notice:

CBL dropouts 8,11 September 2012 were on our end.
PSBL data is unusable 4-15 Sep 2012 due to problems on our end.
September 2012 World All SpamRankings.net from CBL Volume
1 (2) AS 9829 BSNL-NIB India IN
2 (1) AS 25019 SAUDINETSTC-AS Saudi Arabia SA
3 (5) AS 6147 SAA Peru PE
4 (3) AS 8386 KOCNET Turkey TR
5 (4) AS 7643 VNPT-AS-VN Vietnam VN
6 (-) AS 9050 ROMTELECOM Romania RO

The source of the problem was embarassingly simple and easily fixed: not enough inodes. The CBL and PSBL data were affected differently because they arrive differently. We pick up from CBL daily a text summary table with a line per IP address. We get from PSBL an NNTP feed of spam messages, each in its own file, that we boil down to a summary. So for CBL, we either got the whole file (most days of the month), or we didn’t store it at all (8 and 11 September). For PSBL, for each incoming message, we either stored it or we didn’t. Which is why there are some days with PSBL data between 4 and 15 Sep, but the volume is lower than usual. The notice below the chart is dire because we prefer to be conservative about these things.

Yet the PSBL rankings show AS 9829 BSNL-NIB #1 worldwide just like Continue reading

Festi in the rest of the top Turkish 7 SpamRankings.net 2012-08 CBL data

We’ve already looked at TTNET, which pushed Turkey Turkey to the top of the spamming world in July 2012, and KOCNET, ditto in August. What about other Turkish ASNs? The next five are AS 12735 ASTURKNET, AS 12978 DOGAN-ONLINE, AS 16135 TURKCELL, AS 29179 KIBRISONLINE-AS, and AS 8517 ULAKNET, in the August SpamRankings.net from both CBL and PSBL data. You guessed it: they’re all infested with Festi botnet, too.

Festi Turkish top 7-2 June-August 2012 SpamRankings.net CBL data

Festi Turkish top 7-2 June-August 2012 SpamRankings.net CBL data
Graph by John S. Quarterman for SpamRankings.net.

-jsq

Festi pushes KOCNET to #1 in Turkey and #3 in the world

Festi botnet spam made KOCNET beat TTNET to #1 in Turkey for the first time ever in August 2012 SpamRankings.net, in rankings from both CBL and PSBL data. While TTNET managed to stop most spam from Festi botnet, Festi spam from KOCNET massively ramped up.

KOCNET July-August 2012

Graph by John S. Quarterman for SpamRankings.net.

Both ISPs hit a Festi low on 21 July, which raises the speculation that that low had nothing to do with infosec efforts by the ISPs, and more to do with something going on inside Festi. After that low, TTNET briefly started back up with Festi, but then dropped down. KOCNET just kept going up. Up so far that KOCNET made #3 in the world in rankings from CBL data and #4 in the world in rankings from PSBL data, pushing Turkey itself up to #4 (CBL) and #5 (PSBL).

TTNET had already pushed Turkey last month to #4 (CBL) and #6 (PSBL). It was Festi then, and it’s Festi now, but the lead Turkish ISP has changed: last month it was TTNET, this month it’s KOCNET. It’s a problem when a botnet parasite can just move on to a new host like that. Do TTNET and KOCNET even know this is happening?

-jsq

Festi botnet in July 2012 U.S. Medical SpamRankings.net from CBL

AS 122 U-PGH-NET-AS The curve that took University of Pittsburgh Medical Center‘s AS 122 U-PGH-NET-AS to number one in the July 2012 U.S. SpamRankings.net from CBL data is almost completely explained by Festi botnet, except for one day, plus the small curve at the beginning of the month was apparently caused by Grum botnet.

AS 17311 ECMC-BGP was infested with Festi (blue curve on the right) at the same time as AS 122, and AS 17311 earlier had a Cutwail botnet

Continue reading

Pittsburgh back in the top 10 for spam from U.S. medical organizations

And this time it's #1 in the July 2012 U.S. SpamRankings.net from CBL data:

AS 122 U-PGH-NET-AS in the same ranking over time:

2011
Mar 		Apr May Jun Jul Aug Sep Oct Nov Dec 2012
Jan 		Feb Mar Apr May Jun Jul
34 32 32 8 31 8 4 29 32 33 30 32 29 6 5 9 1

University of Pittsburgh Medical Center's AS 122 U-PGH-NET-AS and Erie County Medical Center's AS 17311 ECMC-BGP not only took #1 and #2, they also spammed longer than other medical ASNs. That jumped them up 8 ranks each in one month.

-jsq

WIN finally got the no medical spam memo in March 2012

There’s a new development since we summarized A Year of SpamRankings.net: Medical Organizations. Chronic spamming medical organization WIN of Belgium finally dropped out of the July 2012 top 10 with its 9208 ASN, as you can see in the chronic ranking compilation:

Date:2011
Mar		 Apr May Jun Jul Aug Sep Oct Nov Dec 2012
Jan		 Feb Mar Apr May Jun Jul
Volume 26,737 33,000 10,851 31,183 33,930 48,342 13,454 5,992 16,838 32,058 10,272 15,273 7,331 693 270 329 21
Rank 1 2 1 2 1 1 1 1 1 1 1 1 1 2 5 3 11

It looks like WIN finally got the memo in March 2012 and has been improving since then.

Congratulations, WIN!

WIN finally went to zero

-jsq

Festi botnet infesting the world, July 2012

Autonomous Systems (ASes) infested with Festi botnet spammed more than any others worldwide, pushing whole new countries such as Saudi Arabia and Turkey into the top of the top 20 countries in the July SpamRankings.net, and pushing India to number 1 worldwide. . Here we look at the top 10 ASes infested by Festi.

Taking off like a rocket was SaidiNet's AS 25019 SAUDINETSTC-AS of Saudi Arabia. Rising almost as fast was National Internet Backbone's AS 9829 BSNL-NIB of India. Also on an upwards path was academic network AS 8386 KOCNET of Turkey.

Linear Top 10 ASNs with Festi botnet

Linear Top 10 ASNs with Festi botnet
Chart by John S. Quarterman for SpamRankings.net.

Maybe already peaked were AS 24560 AIRTELBROADBAND-AS-AP – Bharti Airtel Ltd. AS 9121 TTNET – TTnet AS AS 17813 MTNL-AP – Mahanagar Telephone Nigam Ltd. and AS 18101 RIL-IDC – Reliance Infocom Ltd Internet Data Centre

We will examine Festi more in later blog posts.

-jsq