Tag Archives: Kelihos

Kelihos and Maazben botnets in U.S. October 2012 SpamRankings.net

We’ve seen that botnets Kelihos and Maazben account for most of the spam seen from the entirely-new worldwide top 10 in the October 2012 Kelihos rampage. What about a specific country? The October 2012 U.S. SpamRankings.net from CBL data U.S. top 10 SpamRankings.net are also entirely new (since last month): are all those U.S. ASNs ranked like that because of the Kelihos rampage? Two clues indicate yes: the shapes of the U.S. curves are very similar to those of the worldwide rankings, and the U.S. top 3 are in the worldwide top 10. But what about the rest of the U.S. top 10? Let’s drill down to botnets in U.S. October 2012 SpamRankings.net from CBL data:

Botnets in U.S. October 2012 SpamRankings.net from CBL data

We can see 9 out of the U.S. top 10 are there mostly because of Maazben or Kelihos, often alternating for the same ASN, in the same pattern as for the worldwide top 10. So yes, 9 are in the U.S. top 10 because of the Kelihos rampage.

The one exception is Continue reading

Why no kelihos rampage in PSBL October 2012 SpamRankings.net?

Why do the PSBL Volume October 2012 SpamRankings.net rankings from PSBL data not look much like the October 2012 rankings from CBL data in SpamRankings.net? Apparently because PSBL does not use the heuristic that CBL uses that catches the few IP addresses that are spewing hundreds of thousands or millions of spam messages a day. Is this lack of correspondence between the CBL and PSBL rankings a problem?

What would be the point of having multiple rankings if they always showed the same results? CBL Volume October 2012 SpamRankings.net But these are very different results: none of the CBL top 10 show up in the PSBL top 10! How can both the PSBL and CBL rankings be correct?

  1. First, “correct” for such rankings does not mean completely accurate and it does not mean completely precise: no blocklist will ever detect every spam message emitted by every IP address. Suppose even mighty NSA (No Such Agency) were to copy every bit that passed over every major ISP in the U.S. Even that would miss some bits emitted by for example an ISP in Vietnam that spammed an ISP in India. And what heuristics would mighty NSA use to detect all the spam from all those bits? Would those heuristics happen to include the same one CBL is using to detect the Kelihos rampage? Would they include some further heuristic of which CBL has not yet thought that would detect some other rampage? Quite possibly yes and yes. Any rankings of anything on the Internet are always approximate records of hints and whispers of a constantly-shifting reality that can never be completely pinned down.
  2. Second, correct for rankings means comparable among the ASNs ranked, so that they can be ranked. In that sense, yes, both the PSBL and CBL rankings are correct: they merely show different aspects of the spam symptom of defective infosec for the ranked ASNs.
  3. Third, any systematically ranked symptom of poor infosec is important. Does any organization want any of its hosts to be spewing hundreds of thousands of spam messages a day, as in those ASNs in the CBL top 10? Does any organization want any of its hosts to be spewing enough spam in aggregate to turn up in the PSBL top 10? Probably not.
Besides, actually the CBL data does corroborate the PSBL data, when viewed in another set of rankings. Continue reading

Kelihos and Maazben botnets in October 2012 SpamRankings.net

Let's look at the botnets associated with the Kelihos rampage in the October 2012 SpamRankings.net. Two botnets turn up the most Maazben and Kelihos. Why call it the Kelihos rampage, then?

World Top 10 and botnets

Because CBL's detection of each botnet depends on numerous continually-evolving heuristics, and in this case the same one is being triggered for both Maazen and Kelihos, and CBL thinks that particular heuristic is more characteristic of Kelihos.

The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems:

Continue reading

Kelihos rampage in October 2012 SpamRankings.net

What's the Kelihos rampage mentioned in the October 2012 World CBL SpamRankings.net October 2012 SpamRankings.net? It's a few IP addresses sending hundreds of thousands and even millions of spam messages a day. It seems to be associated with Kelihos botnet.

Those few addresses spewed so much spam they pushed entire countries, October 2012 Countries CBL SpamRankings.net The Kelihos rampage pushed many countries, including France France, Germany Germany, Hong Kong Hong Kong, Thailand Thailand, Canada Canada, Hungary Hungary, Belarus Belarus, Paraguay Paraguay, Singapore Singapore(!), and Mexico Mexico, to the top of the countries ranking.

Should we rank an ASN at the top of the world because of only a few addresses? We considered that at some length, but in the end it's no different from what's been going on with the medical rankings for a long time, except on larger scales (all ASNs, and many more messages from a few addresses).

These rankings don't mean the affected organizations aren't vigilant. They do seem to mean those organizations have an infestation they need to deal with.

-jsq