Tag Archives: Ogee

An ISP snowshoes ahead in spamming

Continuing the question of Ogee snowshoe: black swan or new strategy? let’s look at Ogee snowshoe spam in the first week of May 2012.

The two dotted lines trending down together in the middle are AS 29131 and AS 28178, and they both fit the traditional profile for snowshoe spam hosting sites, because they advertise hosting or colocation as their main services. AS 29131 is registered to RapidSwitch, which advertises dedicated servers, cloud solutions, and colocation. AS 28178, registered as Network Operations Center (NOC), which keeps on rolling waves of snowshoe spam, appears to be operating under the name BurstNet, which offers managed servers and co-location as its first two services.

However, the dotted line rising to the top right that pulled the solid overall snowshoe volume line back up is not a hosting center: it’s an ISP. CDM’s AS 6428 appears to be operating as Primary Network, whose first services are T-1 Internet access and metro Internet. And Primary Network is not alone. We’ve pulled out a list of all the ASNs affected by Ogee snowshoe so far, and quite a few of them are ISPs, some of them very well known ISPs.

Snowshoe: it’s not just for hosting centers anymore.

-jsq

Ogee snowshoe: black swan or new strategy? SpamRankings.net

A week ago you may recall most of March’s crop of Ogee spamming ASNs had subsided. Yet there were some contenders coming up from the bottom right corner of the graph.

Some correspondents say snowshoe spamming such as Ogee is a black swan, unanticipated and short-lived. I say it may be a change in strategy. Others say the actual spam coming out of Ogee is not the same campaigns as we’ve seen from botnets, so spammers are not moving over. To which I say: yet. And if snowshoe spam is big enough to change worldwide SpamRankings.net, and if it continues, that’s a strategy change. We’ll see how all that goes.

Meanwhile, what’s happened in the last week or two?

Top 10 ASNs showing Ogee spam 2012-03-01 to 2012-04-25, SpamRankings.net.

A few of those contenders were just flashes in the pan. But others are still spamming increasingly more.

-jsq

Which ASNs showed most Ogee snowshoe spam in March and early April?

Snowshoe spamming begins to look like a rising tide.

Peaking at the end of March 2012, the Ogee snowshoe spam winner is AS 16226 GNAXNET-AS – Global Net Access LLC. GNAXNet actually placed another Autonomous System in the same time frame, AS 3595.

U.S. Brinkster’s AS 33055 BCC-65-182-96-0-PHX finally cleaned up its act and went to zero Ogee volume 11 April 2012. Canada’s AS 32613 IWeb also went to zero on 23 March 2012.

On the other hand, it looks like a new surge of snowshoe spam is starting mid-April, including some organizations maybe not usually considered hosting companies, such as Cogent’s AS 174.

Meanwhile, Belarus’ AS 6697 BELPAK-AS already went from #7 to #5 worldwide in March, pushing Belarus up from #16 to #12 among countries.

And NOC’s AS 21788 keeps on rolling waves of snowshoe spam.

All these volume numbers and rankings are provisional, especially considering we’re seeing so many ASes and netblocks that were previously not spamming that we’re tuning our database to be sure we’re properly accounting for them all.

Nonetheless, it looks like snowshoe may be a rising spamming strategy.

-jsq

Ogee pushed iWeb and Canada up SpamRankings.net in March 2012

AS 32613 IWEB-AS was far ahead of the Canadian spamming pack in the March 2012 SpamRankings.net. iWeb improved a lot towards the end of the month, but will it stay improved? AS 14366 MTNCABLE plateaued early, dropped, then took first at the end of the month. Could they have the same problem?

Why yes, both iWeb and MTNCABLE appear to be infested by Ogee snowshoe spamming.

This problem is bad enough that Canada rose from country #46 in January to #34 in February and #25 in March. You can’t see that on the countries top 10, like you can for the U.S., which snowshoe spamming pushed to #1 worldwide in March, but internally SpamRankings.net keeps track of rankings of all countries worldwide, and indeed Canada went form #46 in January to #25 in March.

-jsq

What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:


Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three: Continue reading

Did the February 2012 spam surge come from one botnet?

SpamRankings.net saw
AS 21788NOC
AS 27229WEBHOST-ASN1
AS 46475LIMESTONENETWORKS
AS 33055BCC-65-182-96-0-PHX
AS 15149EZZI-101-BGP
AS 13768PEER1
AS 10439CARINET
AS 7796ATMLINK
a huge surge in spam from some U.S. ASNs, mostly from ones that hadn’t even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?

Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:


Left Axis: ASN volume (spam messages); Right Axis: Botnet volume (dotted curves)

The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.

AS 21788 NOC was one of the first and worst affected by this spam surge: Continue reading