Tag Archives: OVH

Why more spam seen for OVH with v2 rankings than v1?

OVH Systems’ AS 16276 is #1 in the April 2013 SpamRankings.net worldwide from CBL data with 631,539,742 spam message seen according to the new Version 2 of SpamRankings.net, while the same ASN is #3 in the old version 1 rankings with 363,884,989 spam messages seen. Why the difference?

The difference is because Version 2 finds more netblocks assigned to AS 16276. Specifically:

72netblocks currently assigned
27netblocks previously assigned
14netblocks are persistant
58netblocks have been added
13netblocks have been removed

Many more netblocks were found for AS 16276 only by Version 2 than were found only by Version. So the difference in the amount of spam presumably comes from those added netblocks. Yes, we can drill down and see, and we may do that later.

-jsq

Version 2 of SpamRankings.net

The April 2013 rankings include version 2 of the volume compilation method, with precise counts, resulting in slightly different ranking orders.

Top 3, April 2013 World SpamRankings.net from CBL data

For example, OVH, Hanaro, and Strato are the top three in both v1 and v2, but in a different order, in the April 2013 SpamRankings.net worldwide from CBL data.

Initially, we are only pubishing v2 for March and April 2013. In a few weeks we will publish the rest of the historical v2 rankings back to match the same months as the v1 rankings. Old v1 rankings will be kept online indefinitely for comparison, but all new rankings will be v2.

-jsq

January 2013 SpamRankings.net

Most worsened: AS 10297 COLUMBUSNAP US, from #91 to #6 worldwide in January 2013. Most improved: AS 48347 MTW-AS RU, from #8 to less than 250. Surprise entrant: AS 8685 DORUKNET TR. Still #1 for fourth month: AS 16276 OVH FR.

-jsq

OVH: Kelihos or darkmailer? November 2012 SpamRankings.net

OVH won again, more than doubling its spam spew of last month! This is in the November 2012 November 2012 Belgium SpamRankings.net from CBL data SpamRankings.net from CBL data. Is that 407,726,779 spam messages in a single month a record? Last month it was Kelihos. This month it looks like darkmailer.

-jsq

Kelihos and Maazben botnets in October 2012 SpamRankings.net

Let's look at the botnets associated with the Kelihos rampage in the October 2012 SpamRankings.net. Two botnets turn up the most Maazben and Kelihos. Why call it the Kelihos rampage, then?

World Top 10 and botnets

Because CBL's detection of each botnet depends on numerous continually-evolving heuristics, and in this case the same one is being triggered for both Maazen and Kelihos, and CBL thinks that particular heuristic is more characteristic of Kelihos.

The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems:

Continue reading