Tag Archives: Cutwail

Primus dropped out of January 2013 Canada SpamRankings.net

The big winner was AS 7788 MAGMA-COMM, which dropped from #3 to #147 by decreasing from millions to less than a thousand spam messages in the January 2013 SpamRankings.net for Canada Canada. Magma had a brief spate of Kelihos spam in the middle of the month, but it only lasted less than a week. Almost as good was AS 6407 PRIMUS-AS6407, dropping from millions the previous month to a few hundred thousand, and from #6 to #11. That one while beating its Kelihos problem, seems to have developed a Cutwail problem, which was sending increasingly more spam at the end of the month. Since Magma was bought by Primus in 2004, Primus gets double congratulations!

-jsq

Botnets behind the late-month upswings in Belgium in the September 2012 SpamRankings.net?

Congratulations to Belgacom, Mobistar, Uganda Uganda-Telecom and BASE Belgium for improving in the September 2012 SpamRankings.net for Belgium Belgium from CBL data! But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month? And what about Teledis, which is worse over the whole month, but better at the end?

For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:

Continue reading

No Festi dip in LACNIC, July 2012 SpamRankings.net

There was a dip in volume from the top 20 Festi-infested ASNs starting about 15 July 2012, bottoming out 21 July 2012, except one region’s ASNs did not dip.

Festi top 20

The three Latin American ASNs in the Festi botnet top 20 spammers did not dip:

Those are the only three LACNIC ASNs in the top 20 ASNs for Festi. Perhaps NIC policies matter? Or maybe it’s something in regional national infosec policies? It could still be national infosec policies, but why were all the other big Brazilian ASNs not Festi-infested?

But wait! Two others also did not dip:

Continue reading

TTNET ejected Festi but still infested with Lethic and other botnets 2012-07,2012-08

Congratulations to Turkey's TTNET's AS 9121 for getting Festi botnet spam down from more than a million messages a day to less than 100,000!

Linear

However, Festi is still in there, and TTNET has other problems, as well, including Lethic, Cutwail, Waledac, Maazben, and even Grum(!) botnets, plus Sendsafe.

Continue reading

Festi botnet in July 2012 U.S. Medical SpamRankings.net from CBL

AS 122 U-PGH-NET-AS The curve that took University of Pittsburgh Medical Center‘s AS 122 U-PGH-NET-AS to number one in the July 2012 U.S. SpamRankings.net from CBL data is almost completely explained by Festi botnet, except for one day, plus the small curve at the beginning of the month was apparently caused by Grum botnet.

AS 17311 ECMC-BGP was infested with Festi (blue curve on the right) at the same time as AS 122, and AS 17311 earlier had a Cutwail botnet

Continue reading

Grum down, but… 1 June 2012 – 30 July 2012, SpamRankings.net

Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for SpamRankings.net.

The updated Top 10 Botnets graph has good news and bad news:

Continue reading

Grum and other botnets, 1 June 2012 – 19 July 2012, SpamRankings.net

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for SpamRankings.net from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading