Tag Archives: John S. Quarterman

Ogee snowshoe: black swan or new strategy? SpamRankings.net

A week ago you may recall most of March’s crop of Ogee spamming ASNs had subsided. Yet there were some contenders coming up from the bottom right corner of the graph.

Some correspondents say snowshoe spamming such as Ogee is a black swan, unanticipated and short-lived. I say it may be a change in strategy. Others say the actual spam coming out of Ogee is not the same campaigns as we’ve seen from botnets, so spammers are not moving over. To which I say: yet. And if snowshoe spam is big enough to change worldwide SpamRankings.net, and if it continues, that’s a strategy change. We’ll see how all that goes.

Meanwhile, what’s happened in the last week or two?

Top 10 ASNs showing Ogee spam 2012-03-01 to 2012-04-25, SpamRankings.net.

A few of those contenders were just flashes in the pan. But others are still spamming increasingly more.

-jsq

Which ASNs showed most Ogee snowshoe spam in March and early April?

Snowshoe spamming begins to look like a rising tide.

Peaking at the end of March 2012, the Ogee snowshoe spam winner is AS 16226 GNAXNET-AS – Global Net Access LLC. GNAXNet actually placed another Autonomous System in the same time frame, AS 3595.

U.S. Brinkster’s AS 33055 BCC-65-182-96-0-PHX finally cleaned up its act and went to zero Ogee volume 11 April 2012. Canada’s AS 32613 IWeb also went to zero on 23 March 2012.

On the other hand, it looks like a new surge of snowshoe spam is starting mid-April, including some organizations maybe not usually considered hosting companies, such as Cogent’s AS 174.

Meanwhile, Belarus’ AS 6697 BELPAK-AS already went from #7 to #5 worldwide in March, pushing Belarus up from #16 to #12 among countries.

And NOC’s AS 21788 keeps on rolling waves of snowshoe spam.

All these volume numbers and rankings are provisional, especially considering we’re seeing so many ASes and netblocks that were previously not spamming that we’re tuning our database to be sure we’re properly accounting for them all.

Nonetheless, it looks like snowshoe may be a rising spamming strategy.

-jsq

Ogee pushed iWeb and Canada up SpamRankings.net in March 2012

AS 32613 IWEB-AS was far ahead of the Canadian spamming pack in the March 2012 SpamRankings.net. iWeb improved a lot towards the end of the month, but will it stay improved? AS 14366 MTNCABLE plateaued early, dropped, then took first at the end of the month. Could they have the same problem?

Why yes, both iWeb and MTNCABLE appear to be infested by Ogee snowshoe spamming.

This problem is bad enough that Canada rose from country #46 in January to #34 in February and #25 in March. You can’t see that on the countries top 10, like you can for the U.S., which snowshoe spamming pushed to #1 worldwide in March, but internally SpamRankings.net keeps track of rankings of all countries worldwide, and indeed Canada went form #46 in January to #25 in March.

-jsq

Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012 SpamRankings.net

Previously unseen Brinkster’s AS 33055 BCC-65-182-96-0-PHX took first place. AS 10439 CARINET leapt from #8 last month to #4 for March for the U.S., and was up to second place at the end of the month. Six ASNs joined the U.S. top 10: were they all due to snowshoe spam, too? Brinkster was so bad it made #8 on the world top 10!

Last month’s winner AS 21788 NOC finally cleaned up its act a bit, dropping from #1 to #5. Six ASNs dropped out of the top 10. Four of them (Webhost-ASN-1, LIMESTONENETWORKS, PEER1, and ATMLINK) popped to the top 10 last month due to snowshoe spam. The other two (NTT and Charter’s ASNs) didn’t even have to spam less to drop out, because this month’s top 10 had so much more spam.

But the US ASNs that got worse pushed the U.S. to #1 spamming country. The slope of that U.S. world top 10 curve for the last dozen days of March looks just like the Brinkster and CARINET ASN curves in the U.S. top 10. Very impressive, to drive the whole country into the countries top 10!

-jsq

 

 

Krebs on SpamRankings.net

Brian Krebs wrote on his blog, Naming & Shaming Sources of Spam:
A new resource for spotlighting organizations that are unwittingly contributing to the global spam problem aims to shame junk email havens into taking more aggressive security measures.

SpamRankings.net is a project launched by the Center for Research in Electronic Commerce at the University of Texas at Austin. Its goal is to identify and call attention to organizations with networks that have been infiltrated by spammers.

Andrew Whinston, the center’s director, said the group initially is focusing on health care providers that appear to be infected with spam bots. “Nobody wants to do business with a bank or hospital or Internet hosting company that has been hijacked by spammers,” Whinston said. “It’s an environment in which user data can be stolen or compromised.”

The rest of his writeup quotes me quite a bit, and everyone knows I’m quite shy, so please go read his blog!

I will add that May data is live now on SpamRankings.net. Also, organizations that do better over time may want to brag, as has happened with a couple of U.S. organizations in May.

Here’s Krebs’ final paragraph:

I applaud this effort, and hope that it gains traction. I remain convinced that the Internet community would benefit from a more comprehensive and centralized approach to measuring badness on the Web. There are many existing efforts to measure reputation and to quantify badness online, but most of those projects seek to enumerate very specific threats (such spam or hacked Web sites) and measure the problem from a limited vantage point. What is lacking is an organization that attempts to collate data collected by these disparate efforts and to publish that information in near real-time.

-jsq

Data, Reputation, and Certification Against Spam

I’m giving a talk today at the Internet2 workshop on Collaborative Data-Driven Security for High Performance Networks at WUSTL, St. Louis, MO. You can follow along with the PDF.

There may be some twittering on #DDCSW.

-jsq

FireEye’s Ozdok Botnet Takedown Observed

FireEye coordinated a takedown of botnet Ozdok or MegaD, on 5-6 Nov 2009, with cooperation by many ISPs and DNS registrars.

Good show! What effects did it have on spam? Not just spam from this botnet; spam in general.

Botnets and spam volume

This graph was presented at NANOG 48, Austin, TX, 24 Feb 2010, in FireEye’s Ozdok Botnet Takedown In Spam Blocklists and Volume Observed by IIAR Project, CREC, UT Austin. John S. Quarterman, Quarterman Creations, Prof. Andrew Whinston, PI CREC, UT Austin. That was a snapshot of an ongoing project, Incentives, Insurance and Audited Reputation: An Economic Approach to Controlling Spam (IIAR).

That presentation was enough to demonstrate the main point: takedowns are good, but we need a lot more of them and a lot more coordinated if we are to make a real dent in spam.

The IIAR project will keep drilling down in the data and building up models. One goal is to build a reputation system to show how effective takedowns and other anti-spam measures are, on which ASNs.

Thanks especially to CBL and to Team Cymru for very useful data, and to FireEye for a successful takedown.

We’re all ears for further takedowns to examine.

-jsq