What would be the point of having multiple rankings if they always
showed the same results?
But these are very different results:
none of the CBL top 10 show up in the PSBL top 10!
How can both the PSBL and CBL rankings be correct?
First, “correct” for such rankings does not mean completely accurate
and it does not mean completely precise:
no blocklist will ever detect every spam message emitted by every IP address.
Suppose even mighty NSA (No Such Agency) were to copy every bit that
passed over every major ISP in the U.S.
Even that would miss some bits emitted by for example an ISP in Vietnam
that spammed an ISP in India.
And what heuristics would mighty NSA use to detect all the spam from all
Would those heuristics happen to include the same one CBL is using
to detect the Kelihos rampage?
Would they include some further heuristic of which CBL has not yet thought
that would detect some other rampage?
Quite possibly yes and yes.
Any rankings of anything on the Internet are always approximate
records of hints and whispers of a constantly-shifting reality
that can never be completely pinned down.
Second, correct for rankings
means comparable among the ASNs ranked, so that they can be ranked.
In that sense, yes, both the PSBL and CBL rankings are correct:
they merely show different aspects of the spam symptom of defective
infosec for the ranked ASNs.
Third, any systematically ranked symptom of poor infosec is important.
Does any organization want any of its hosts to be spewing hundreds
of thousands of spam messages a day, as in those ASNs in the CBL top 10?
Does any organization want any of its hosts to be spewing enough
spam in aggregate to turn up in the PSBL top 10?
Besides, actually the CBL data does corroborate the PSBL data,
when viewed in another set of rankings.
Continue reading →
Previously unseen Brinkster’s AS 33055 BCC-65-182-96-0-PHX took first place. AS 10439 CARINET leapt from #8 last month to #4 for March for the U.S., and was up to second place at the end of the month. Six ASNs joined the U.S. top 10: were they all due to snowshoe spam, too? Brinkster was so bad it made #8 on the world top 10!
Last month’s winner AS 21788 NOC finally cleaned up its act a bit, dropping from #1 to #5. Six ASNs dropped out of the top 10. Four of them (Webhost-ASN-1, LIMESTONENETWORKS, PEER1, and ATMLINK) popped to the top 10 last month due to snowshoe spam. The other two (NTT and Charter’s ASNs) didn’t even have to spam less to drop out, because this month’s top 10 had so much more spam.
But the US ASNs that got worse pushed the U.S. to #1 spamming country. The slope of that U.S. world top 10 curve for the last dozen days of March looks just like the Brinkster and CARINET ASN curves in the U.S. top 10. Very impressive, to drive the whole country into the countries top 10!
made the Davos Top 5 Global Risks in Terms of Likelihood.
Davos, the annual conclave of the hyper-rich and famously elected,
has also discovered Severe income disparity
and Water supply crisis, so maybe they’re becoming
However, in Figure 17 on page 25 they’ve got Cyber attacks
as an origin risk, along with Massive incident of data fraud or theft
and Massive digital misinformation. I think they’re missing the point,
which is the real origin risk is poor infosec, and the origin of that
is vendors like MSFT knowingly shipping systems with design flaws
and people and organizations running them while hiding such problems.
Registrants may seek to mitigate damages from a cyber incident
by providing customers with incentives to maintain the business
Hm, incentives like showing an improved reputational risk ranking?
Perhaps in order to prevent this sort of thing?
Cyber incidents may also result in diminished future cash flows, thereby
requiring consideration of impairment of certain assets including
goodwill, customer-related intangible assets, trademarks, patents,
capitalized software or other long-lived assets associated with hardware
or software, and inventory.
The SEC is still missing at least one connection between dots:
Prior to a Cyber Incident
Registrants may incur substantial costs to prevent cyber
incidents. Accounting for the capitalization of these costs is addressed
by Accounting Standards Codification (ASC) 350-40, Internal-Use Software,
to the extent that such costs are related to internal use software.
Sure, infosec costs money.
But if infosec actually prevents loss of customer goodwill, infosec
could attract and retain customers,
so infosec could be a source of profit.
If anybody knows about it, that is.
Did this spam spike come from any particular botnet?
AS 3549 GBLX PSBL spam volume left axis, CBL botnet volume right axis
It looks like GBLX is infested with many botnets, but
the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak
on 16 Nov.
Given that the ASN volume spike is from PSBL data and the botnet
volume peak is from CBL data, a day off is plausible, due to different
collection and delivery times.
There’s also a peak for grum (green line near the bottom) on 17 Nov,
and peaks for festi and n/a on 18 Nov,
where n/a is CBL’s marker for spam they detected without having to
look as far as determining which botnet they think sent it.
So the spam spike could be from cutwail.
Or it could be because of a coincidence of several botnet peaks.
Or it could be some other botnet that happened to do a spam campaign
on that day.
Given that the PSBL GBLX peak builds up on 16 Nov, I’d guess it
came mostly from cutwail.
We could try to resolve this question by digging into the specific
addresses the GBLX spam PSBL saw came from
and see if they match addresses CBL assigned to botnets.
That’s not the only spamming churn activity in Canada for October.
The log chart shows MetroBridge Networks Corporation AS 25976
METROBRIDGE-NET jumping up from zero to take ninth place.
It looks like one organization may have cleaned up its act while another
Last month’s winner, Canaca-com’s AS 33139 CANACA-210, came in
second. From there down it’s mostly the usual suspects in slightly
Interestingly, longterm winner Bell Canada’s AS 577 BACOM
only came in fourth.
This is unusual for a national telco.
Maybe they’re watching the rankings?
“Poor security measures are generally responsible for employee
workstations getting compromised, either by spam or malicious Web
content. Once the machine is compromised, the botnet herders can add it
to its spam-spewing botnet to send out malware to even more people. The
original employee or the organization rarely has any idea the machine
has been hijacked for this purpose.”
That’s a pretty good explanation for why outbound spam is a proxy
for poor infosec.