Tag Archives: Global Crossing

Global Crossing spammed the most from the U.S. in September 2012 SpamRankings.net!

Bar chart: September 2012 U.S. spamRankings.net from CBL Volume Winner and new champion: Global Crossing’s AS 3549 GBLX! GBLX won the September 2012 SpamRankings.net with almost half of all the spam from the top 10 seen in the CBL data and more than a third seen from PSBL. What accounts for this surge of U.S. spammy ASNs?

Top 10 botnets for top 10 ASNs, U.S., Sep 2012, SpamRankings.net

Pie chart: September 2012 U.S. spamRankings.net from CBL Volume Yep, it’s Festi for #1 GBLX, #2 AS 17184 ATL-CBEYOND, for #3 AS 7018 ATT-INTERNET4, #8 AS 7385 INTEGRATELECOM and #10 AS 1239 SPRINTLINK. Congratulations AT&T for making the list! Well, not really congratulations, since it means you let a lot of outbound spam out.

However, it’s Lethic for #4 AS 8047 GCI, #5 AS 22258 COMCAST-22258, and #6 AS 20115 CHARTER-NET-HKY-NC.

Line chart: September 2012 U.S. spamRankings.net from CBL Volume AS 3549 GBLX may have already peaked. AS 19529 RAZOR-PHL went up like a rocket at the end of the month! Will they swap ranks next month? And what’s driving RAZOR-PHL to the top? Hint: it’s the same as for #9 AS 25653 FORTRESSITX. Stay tuned!

-jsq

Global Crossing spam spike, November 2011

In the November SpamRankings.net from PSBL data, Global Crossing’s AS 3549 GBLX spiked on 17 November and a few days before, pushing it into fifth place.

Did this spam spike come from any particular botnet?


AS 3549 GBLX PSBL spam volume left axis, CBL botnet volume right axis
It looks like GBLX is infested with many botnets, but the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak on 16 Nov. Given that the ASN volume spike is from PSBL data and the botnet volume peak is from CBL data, a day off is plausible, due to different collection and delivery times.

There’s also a peak for grum (green line near the bottom) on 17 Nov, and peaks for festi and n/a on 18 Nov, where n/a is CBL’s marker for spam they detected without having to look as far as determining which botnet they think sent it.

So the spam spike could be from cutwail. Or it could be because of a coincidence of several botnet peaks. Or it could be some other botnet that happened to do a spam campaign on that day. Given that the PSBL GBLX peak builds up on 16 Nov, I’d guess it came mostly from cutwail.

We could try to resolve this question by digging into the specific addresses the GBLX spam PSBL saw came from and see if they match addresses CBL assigned to botnets.

-jsq