Tag Archives: Lethic

DorukNet outspammed Turkey again in January 2013 SpamRankings.net

DorukNet logo For two months in a row, DorukNet’s AS 8685 has spammed the most in the January 2013 SpamRankings.net for Turkey Turkey from CBL data. 2011 March-April, AS 8685 DORUKNET, Turkey, SpamRankings.net Before that, it was #6 in November 2012 and also #6 April 2011.

In April 2011 the problem was apparently Lethic with a max of 87,852 on 1 April 2011. DorukNet seemed to have a bit of maazben, cutwail, etc. at that time, but very little compared to Lethic.

2012 November, AS 8685 DORUKNET, Turkey, SpamRankings.net

In November 2012 the problem was apparently Kelihos with a max of 299,873 on 7 November 2012.

This recent DorukNet peak that looks like Mt. Ararat was up to 13,569,282 on 18 January 2013, apparently from darkmailer2. DorukNet is actually improving since that peak, but meanwhile it managed to increase its December spam total of 54,803,032 to 324,544,788 in January 2013.

Continue reading

Canada and Kelihos in October 2012 SpamRankings.net

The Canada Canadian top 10 were half the same as last month and half due to Kelihos October 2012 Canada SpamRankings.net from CBL data in the SpamRankings.net from CBL data for October 2012. Canadian #1 iWeb (CBL; #10 PSBL) made it into the world CBL top 10 because of Kelihos. The rankings from PSBL data October 2012 Canada SpamRankings.net from PSBL data were much closer to the CBL ones for Canada than was the case for the U.S. or for the world.

In this logarithmic chart you can see #3 AS 6327 SHAW, #7 AS 577 BACOM, #9 AS 855 CANET-ASN-4, and #10 AS 6407 PRIMUS-AS6407, the only Canadian ASNs that improved their CBL rank for October, going almost straight across the middle, decreasing towards the end of the month.

top 10 logarithmic Canada October 2012 CBL SpamRankings.net

Three of those relatively static four also were infested with Kelihos. (The fourth, AS 6407 Primus, had a Lethic problem.)

Static 4 Canada October 2012 CBL SpamRankings.net

While 25,000 spam messages a day, as seen by CBL for AS 6327 Shaw, is quite a sneeze, it’s not much Continue reading

Botnets behind the late-month upswings in Belgium in the September 2012 SpamRankings.net?

Congratulations to Belgacom, Mobistar, Uganda Uganda-Telecom and BASE Belgium for improving in the September 2012 SpamRankings.net for Belgium Belgium from CBL data! But what’s behind Brutele and Mobistar and Gateway getting worse at the end of the month? And what about Teledis, which is worse over the whole month, but better at the end?

For AS 12392 ASBRUTELE, the problem the whole month is Lethic botnet with a little Festi:

Continue reading

Global Crossing spammed the most from the U.S. in September 2012 SpamRankings.net!

Bar chart: September 2012 U.S. spamRankings.net from CBL Volume Winner and new champion: Global Crossing’s AS 3549 GBLX! GBLX won the September 2012 SpamRankings.net with almost half of all the spam from the top 10 seen in the CBL data and more than a third seen from PSBL. What accounts for this surge of U.S. spammy ASNs?

Top 10 botnets for top 10 ASNs, U.S., Sep 2012, SpamRankings.net

Pie chart: September 2012 U.S. spamRankings.net from CBL Volume Yep, it’s Festi for #1 GBLX, #2 AS 17184 ATL-CBEYOND, for #3 AS 7018 ATT-INTERNET4, #8 AS 7385 INTEGRATELECOM and #10 AS 1239 SPRINTLINK. Congratulations AT&T for making the list! Well, not really congratulations, since it means you let a lot of outbound spam out.

However, it’s Lethic for #4 AS 8047 GCI, #5 AS 22258 COMCAST-22258, and #6 AS 20115 CHARTER-NET-HKY-NC.

Line chart: September 2012 U.S. spamRankings.net from CBL Volume AS 3549 GBLX may have already peaked. AS 19529 RAZOR-PHL went up like a rocket at the end of the month! Will they swap ranks next month? And what’s driving RAZOR-PHL to the top? Hint: it’s the same as for #9 AS 25653 FORTRESSITX. Stay tuned!

-jsq

Festi pushes KOCNET to #1 in Turkey and #3 in the world

Festi botnet spam made KOCNET beat TTNET to #1 in Turkey for the first time ever in August 2012 SpamRankings.net, in rankings from both CBL and PSBL data. While TTNET managed to stop most spam from Festi botnet, Festi spam from KOCNET massively ramped up.

KOCNET July-August 2012

Graph by John S. Quarterman for SpamRankings.net.

Both ISPs hit a Festi low on 21 July, which raises the speculation that that low had nothing to do with infosec efforts by the ISPs, and more to do with something going on inside Festi. After that low, TTNET briefly started back up with Festi, but then dropped down. KOCNET just kept going up. Up so far that KOCNET made #3 in the world in rankings from CBL data and #4 in the world in rankings from PSBL data, pushing Turkey itself up to #4 (CBL) and #5 (PSBL).

TTNET had already pushed Turkey last month to #4 (CBL) and #6 (PSBL). It was Festi then, and it’s Festi now, but the lead Turkish ISP has changed: last month it was TTNET, this month it’s KOCNET. It’s a problem when a botnet parasite can just move on to a new host like that. Do TTNET and KOCNET even know this is happening?

-jsq

TTNET ejected Festi but still infested with Lethic and other botnets 2012-07,2012-08

Congratulations to Turkey's TTNET's AS 9121 for getting Festi botnet spam down from more than a million messages a day to less than 100,000!

Linear

However, Festi is still in there, and TTNET has other problems, as well, including Lethic, Cutwail, Waledac, Maazben, and even Grum(!) botnets, plus Sendsafe.

Continue reading

Grum down, but… 1 June 2012 – 30 July 2012, SpamRankings.net

Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for SpamRankings.net.

The updated Top 10 Botnets graph has good news and bad news:

Continue reading

Grum and other botnets, 1 June 2012 – 19 July 2012, SpamRankings.net

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for SpamRankings.net from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading

Cleveland Clinic wins one way, then another, in SpamRankings.net

1(4)AS 22093 CCF-NETWORKUnited States US
2(-)AS 27609 USC-UNIVERSITY-HOSPITALUnited States US
3(1)AS 25611 NSLIJHSUnited States US
4(-)AS 19335 APRIA-HEALTHCAREUnited States US
5(2)AS 9208 WINBelgium BE
6(7)AS 122 U-PGH-NET-ASUnited States US
Cleveland Clinic took #1 in the May 2012 worldwide medical SpamRankings.net. So Cleveland Clinic’s AS 22093 won the worldwide medical rankings by spamming the most of any medical organization worldwide, as found in CBL blocklist data. Boo Cleveland Clinic!

Yet AS 22093 CCF-NETWORK dropped like a rock on 7 May 2012, going to zero the next day, and staying there. So Cleveland Clinic also was most improved for May 2012 medical organizations. Congratulations, Cleveland Clinic!

This feat of IT security cleanliness shouldn’t have been hard for CCF, since AS 22093 CCF-NETWORK seems to have had a Lethic problem, which CBL saw on no more than 3 hosts. Sure, there could have been more hosts infected than that, and CBL just might not have seen them all. But 3 is far smaller than what CBL sees for a typical botnet infection, so the number of infected hosts probably was quite small. Which means it should have been easy for CCF to find them all and fix them.

Hm, maybe being #4 last month gave CCF some incentive?

-jsq

Is January’s medical spam caused by botnets?

Remember those three spamming medical organizations PSBL saw and the spike from CSHS that SpamRankings.net found in CBL data? Digging into the underlying data, and graphing them all on the same chart, we see this:

Even though the three three-digit-spamming medicos spam oddly coherently, we don’t find any botnets for them. This may be because most of that spam was seen by PSBL, and our botnet assignments come from CBL. CBL didn’t see any spam from those ASNs, so it didn’t have anything to assign for botnets. Maybe they’re infested by the same botnet; maybe not; can’t tell.

But it was CBL that saw that big spam spike for AS 22328 CSHS. And CBL did assign a botnet to that: Lethic. For all but two days of CSHS spam shown, CBL assigned Lethic to the total amount of spam from CSHS for that day. That may be because all that CSHS spam is coming from a single computer.

Of course, CBL’s botnet assignments are not perfect, but infosec professionals tell me CBL is about as good as it gets for that, so there’s a good chance this botnet assignment is correct.

The good news is that all of the trio of three-digit spamming medicos decreased their spam and even went to zero during the period shown.

And CSHS spam peaked at the end of January and started back down in February.

Pretty soon there may be once again little or no spam from medical organizations to rank.

-jsq