Tag Archives: IIAR

A few bad stones can darken an organization’s SpamRankings.net

Apparently a few infested computers can push a whole hosting service into the top 10 SpamRankings.net for its country. That’s bad, but on the other hand a few addresses should be easy to find and fix. If the infested organization wants to do so.

Take Stone Internet Services AS 39234 STONE-IS, which is the green line climbing to the top of the Belgium April 2012 rankings in the graph. On 30 April CBL caught more than 8,000 spam messages coming from STONE-IS, yet CBL only saw spam coming from a max of 3 STONE-IS IP addresses during that month. If those messages came evenly from each of those 3 addresses, that would be about 2,600 messages from each address, and more likely one of those addresses is the real culprit. Of course, that was almost certainly nowhere near all the spam that came from that ASN that month, and maybe not all the IP addresses sending them.

But compare to the number one source of spam from Belgium for Continue reading

Congratulations to Israel and Spain for dropping out of April World SpamRankings.net!

Israel Israel and Spain Spain were the only two countries to drop out of the world top 20 spammers from CBL data in April 2012. Congratulations!

Not so lucky were the U.K. U.K. and Turkey Turkey, which joined the top 20.

Also, Korea, South Korea got to #2 in the second and third week of the month. and placed third overall, up from fifth in March.

April 2012 Monthly Countries Countries ∀ All SpamRankings.net from CBL Volume
(Previous Month)

Rank (Previous)CountryPopulationVolume% of top 20
1 (1) United States US 310,232,863 104,308,126 17.1%
2 (2) India IN 1,173,108,018 68,811,807 11.3%
3 (5) Korea, South KR 48,422,644 58,983,193 9.66%
4 (6) Vietnam VN 89,571,130 51,301,264 8.4%
5 (3) Brazil BR 201,103,330 38,033,087 6.23%
6 (4) Russian Federation RU 140,702,000 36,167,764 5.92%
7 (8) Taiwan TW 22,894,384 33,163,766 5.43%
8 (7) Poland PL 38,500,000 32,507,068 5.32%
9 (9) Romania RO 21,959,278 24,545,877 4.02%
10 (12) Belarus BY 9,685,000 23,895,403 3.91%
11 (13) China CN 1,330,044,000 18,743,935 3.07%
12 (14) Peru PE 29,907,003 17,293,193 2.83%
13 (11) Ukraine UA 45,415,596 16,062,362 2.63%
14 (18) Kazakhstan KZ 15,340,000 14,924,036 2.44%
15 (15) Argentina AR 41,343,201 13,819,396 2.26%
16 (-) United Kingdom GB 62,348,447 13,638,509 2.23%
17 (17) Pakistan PK 184,404,791 12,320,247 2.02%
18 (10) Indonesia ID 242,968,342 10,899,369 1.78%
19 (-) Turkey TR 77,804,122 10,675,444 1.75%
20 (19) Colombia CO 44,205,293 10,651,199 1.74%
    Total   610,745,045 100%
 
  In Previous  
(16) Spain ES 46,505,963 15,819,585  
(20) Israel IL 7,353,985 11,349,660  

-jsq

An ISP snowshoes ahead in spamming

Continuing the question of Ogee snowshoe: black swan or new strategy? let’s look at Ogee snowshoe spam in the first week of May 2012.

The two dotted lines trending down together in the middle are AS 29131 and AS 28178, and they both fit the traditional profile for snowshoe spam hosting sites, because they advertise hosting or colocation as their main services. AS 29131 is registered to RapidSwitch, which advertises dedicated servers, cloud solutions, and colocation. AS 28178, registered as Network Operations Center (NOC), which keeps on rolling waves of snowshoe spam, appears to be operating under the name BurstNet, which offers managed servers and co-location as its first two services.

However, the dotted line rising to the top right that pulled the solid overall snowshoe volume line back up is not a hosting center: it’s an ISP. CDM’s AS 6428 appears to be operating as Primary Network, whose first services are T-1 Internet access and metro Internet. And Primary Network is not alone. We’ve pulled out a list of all the ASNs affected by Ogee snowshoe so far, and quite a few of them are ISPs, some of them very well known ISPs.

Snowshoe: it’s not just for hosting centers anymore.

-jsq

Microsoft, world leader in Internet security: and spamming?

Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. for April 2012 in rankings from PSBL data, pushing the U.S. to #1 worldwide. Other rankings don’t show Microsoft high, but does MSFT really want to show up in any of these rankings?

Rank (Previous)CountryPopulationSpam
Volume		Percent
of top 10
1 (3) US 310,232,863 673,30618.2%
2 (2) IN 1,173,108,018 506,39713.7%
3 (1) CN 1,330,044,000 413,08911.2%
    Total   3,689,376100%

These rankings that show Microsoft high are derived by SpamRankings.net from PSBL blocklist data. The April 2012 SpamRankings.net from CBL blocklist data do not show Microsoft in the top 10. Apparently PSBL’s spam traps happened to be in the line of spam from Microsoft, while CBL’s were not.

And of course Microsoft probably doesn’t mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here’s hoping they clean it up soon!

-jsq

Which ASNs showed most Ogee snowshoe spam in March and early April?

Snowshoe spamming begins to look like a rising tide.

Peaking at the end of March 2012, the Ogee snowshoe spam winner is AS 16226 GNAXNET-AS – Global Net Access LLC. GNAXNet actually placed another Autonomous System in the same time frame, AS 3595.

U.S. Brinkster’s AS 33055 BCC-65-182-96-0-PHX finally cleaned up its act and went to zero Ogee volume 11 April 2012. Canada’s AS 32613 IWeb also went to zero on 23 March 2012.

On the other hand, it looks like a new surge of snowshoe spam is starting mid-April, including some organizations maybe not usually considered hosting companies, such as Cogent’s AS 174.

Meanwhile, Belarus’ AS 6697 BELPAK-AS already went from #7 to #5 worldwide in March, pushing Belarus up from #16 to #12 among countries.

And NOC’s AS 21788 keeps on rolling waves of snowshoe spam.

All these volume numbers and rankings are provisional, especially considering we’re seeing so many ASes and netblocks that were previously not spamming that we’re tuning our database to be sure we’re properly accounting for them all.

Nonetheless, it looks like snowshoe may be a rising spamming strategy.

-jsq

Ogee pushed iWeb and Canada up SpamRankings.net in March 2012

AS 32613 IWEB-AS was far ahead of the Canadian spamming pack in the March 2012 SpamRankings.net. iWeb improved a lot towards the end of the month, but will it stay improved? AS 14366 MTNCABLE plateaued early, dropped, then took first at the end of the month. Could they have the same problem?

Why yes, both iWeb and MTNCABLE appear to be infested by Ogee snowshoe spamming.

This problem is bad enough that Canada rose from country #46 in January to #34 in February and #25 in March. You can’t see that on the countries top 10, like you can for the U.S., which snowshoe spamming pushed to #1 worldwide in March, but internally SpamRankings.net keeps track of rankings of all countries worldwide, and indeed Canada went form #46 in January to #25 in March.

-jsq

What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:


Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three: Continue reading

Did the February 2012 spam surge come from one botnet?

SpamRankings.net saw
AS 21788NOC
AS 27229WEBHOST-ASN1
AS 46475LIMESTONENETWORKS
AS 33055BCC-65-182-96-0-PHX
AS 15149EZZI-101-BGP
AS 13768PEER1
AS 10439CARINET
AS 7796ATMLINK
a huge surge in spam from some U.S. ASNs, mostly from ones that hadn’t even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?

Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:


Left Axis: ASN volume (spam messages); Right Axis: Botnet volume (dotted curves)

The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.

AS 21788 NOC was one of the first and worst affected by this spam surge: Continue reading

Big U.S. Spam Spike in February 2012 SpamRankings.net

What could push the U.S. from 13 to 2 in worldwide SpamRankings.net, and way up to number one for the last week of February 2012?

In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn’t place in the top 10 at all, for the first time in recent memory!

NOC has had this problem before, in July and November 2011, but never with this amount of spam volume. And this time many other ASNs show the same pattern.

The same issue may be in the Canadian rankings as well: AS 32613 IWEB-AS jumped from 8 to 1 for the month, with almost all the increase in the same last week of the month as for the U.S. problem ASNs.

There was even a similar curve in the World rankings, for Telefonica del Peru’s AS 6147 SAA.

Our next step is to drill down to see if these ASNs were infected by the same botnet. We did that for the medical ASNs last month, but this is a much bigger spam event this month.

-jsq

Comcast pushed out of first, yet wins November U.S. SpamRankings.net

How can an ISP both lose and win in top 10 rankings? By placing more than once!

Comcast got pushed out of first place by AS 46475 LIMESTONENETWORKS and AS 21788 NOC in the November 2011 Monthly U.S. SpamRankings.net from CBL volume. AS 20214 COMCAST-20214 did spam a third less (1,503,173 spam messages) than last month (2,193,898), but it was the spontaneous spam spewing of the two top place newcomers that pushed it down to third place.

Yet Comcast really won the month. It took 4 of the top 10 (places 3, 6, 7, and 10), which is twice as many as last time, and accounted for 30.29% of top 10 spam spewed, up from 23.9% last time. That percentage beats either of the top two this time.

-jsq