Tag Archives: PSBL

Relizon from nowhere to #3 for Canada in May SpamRankings.net

Relizon Canada Inc.’s AS 40034 RELIZON-CDN jumped from #134 to #3 in the May 2013 SpamRankings.net for Canada All from CBL data. On May Day CBL saw 1 spam message from AS 40034 and more than 3 million on May 31.

Relizon was not visible in the May Canada rankings from PSBL data, although internally we do see AS 40034 going from #208 to #109 by going from 11 spam messages in April to 26 in May. Relizon logo CBL’s heuristics or spam traps or both were apparently much better at detecting this particular spam source.

Relizon’s own website doesn’t seem to be responding at the moment, but Bloomberg Businessweek says they do business process outsourcing solutions, and were formerly known as Crain-Drummond Inc., with the name change coming on acquisition by the Carlyle Group.

-jsq

Anti-Spam Blocklists DDoSed Down

At least three anti-spam blocklists were taken down this week by Distributed Denial of Service (DDoS) attacks: Spamhaus, CBL, and APEWS. The first two are back up; the third is not.

The Composite Blocking List (CBL) currently has this at the top of its home page:

Important Information on Spamhaus/CBL DDOS

Commencing March 19 the CBL was hit by a very large-scale distributed denial of service attack. At the time of writing (March 21, 00:15 UTC) this attack is still ongoing.

Throughout this period the CBL DNSBL has continued to remain available through the CBL mirrors and via Spamhaus XBL (and Zen), and we’ve been doing our utmost to restore the rest.

Access to the lookup/removal page has just been restored.

The CBL rsync facility has been restored.

Email to the CBL is not working yet.

We ask for your patience while we finish restoring the rest of the CBL to service.

SpamRankings.net is receiving CBL data normally again, although yesterday’s is lost.

We never saw any interruption in data from the Passive Spam Block List (PSBL).

Spamhaus says it got a 75Gbps DDoS attack, according to Liam Tung with CSO Online (Australia) today:

Continue reading

Why no kelihos rampage in PSBL October 2012 SpamRankings.net?

Why do the PSBL Volume October 2012 SpamRankings.net rankings from PSBL data not look much like the October 2012 rankings from CBL data in SpamRankings.net? Apparently because PSBL does not use the heuristic that CBL uses that catches the few IP addresses that are spewing hundreds of thousands or millions of spam messages a day. Is this lack of correspondence between the CBL and PSBL rankings a problem?

What would be the point of having multiple rankings if they always showed the same results? CBL Volume October 2012 SpamRankings.net But these are very different results: none of the CBL top 10 show up in the PSBL top 10! How can both the PSBL and CBL rankings be correct?

  1. First, “correct” for such rankings does not mean completely accurate and it does not mean completely precise: no blocklist will ever detect every spam message emitted by every IP address. Suppose even mighty NSA (No Such Agency) were to copy every bit that passed over every major ISP in the U.S. Even that would miss some bits emitted by for example an ISP in Vietnam that spammed an ISP in India. And what heuristics would mighty NSA use to detect all the spam from all those bits? Would those heuristics happen to include the same one CBL is using to detect the Kelihos rampage? Would they include some further heuristic of which CBL has not yet thought that would detect some other rampage? Quite possibly yes and yes. Any rankings of anything on the Internet are always approximate records of hints and whispers of a constantly-shifting reality that can never be completely pinned down.
  2. Second, correct for rankings means comparable among the ASNs ranked, so that they can be ranked. In that sense, yes, both the PSBL and CBL rankings are correct: they merely show different aspects of the spam symptom of defective infosec for the ranked ASNs.
  3. Third, any systematically ranked symptom of poor infosec is important. Does any organization want any of its hosts to be spewing hundreds of thousands of spam messages a day, as in those ASNs in the CBL top 10? Does any organization want any of its hosts to be spewing enough spam in aggregate to turn up in the PSBL top 10? Probably not.
Besides, actually the CBL data does corroborate the PSBL data, when viewed in another set of rankings. Continue reading

Data storage issues in SpamRankings.net

Data storage issues led to loss of some incoming data for the September 2012 SpamRankings.net. Interestingly, the results seem almost normal anyway. Here is a speculation on why that can be.

Look just under any rankings chart for September 2012 and you’ll see this notice:

CBL dropouts 8,11 September 2012 were on our end.
PSBL data is unusable 4-15 Sep 2012 due to problems on our end.
September 2012 World All SpamRankings.net from CBL Volume
1 (2) AS 9829 BSNL-NIB India IN
2 (1) AS 25019 SAUDINETSTC-AS Saudi Arabia SA
3 (5) AS 6147 SAA Peru PE
4 (3) AS 8386 KOCNET Turkey TR
5 (4) AS 7643 VNPT-AS-VN Vietnam VN
6 (-) AS 9050 ROMTELECOM Romania RO

The source of the problem was embarassingly simple and easily fixed: not enough inodes. The CBL and PSBL data were affected differently because they arrive differently. We pick up from CBL daily a text summary table with a line per IP address. We get from PSBL an NNTP feed of spam messages, each in its own file, that we boil down to a summary. So for CBL, we either got the whole file (most days of the month), or we didn’t store it at all (8 and 11 September). For PSBL, for each incoming message, we either stored it or we didn’t. Which is why there are some days with PSBL data between 4 and 15 Sep, but the volume is lower than usual. The notice below the chart is dire because we prefer to be conservative about these things.

Yet the PSBL rankings show AS 9829 BSNL-NIB #1 worldwide just like Continue reading

Spam from Microsoft’s AS 8075 April 2011-June 2012

As we’ve seen, Microsoft’s AS 8075 is back on top in the June 2012 SpamRankings.net from PSBL data. Actually, AS 8075 is a chronic offender, having been #1 numerous times, often placing in the top 10, and (we can see in internal data) never going below #38:

2011
Apr		MayJunJulAugSepOctNovDec2012
Jan		FebMarAprMayJun
1123410373738821121

Also, CBL does often see spam from AS 8075 at the same time PSBL does, even though CBL has never seen enough spam from that ASN for it to place in the U.S. top 10 from CBL data.

Volume data from PSBL and CBL graphed by SpamRankings.net

Volume data from PSBL and CBL aggregated and interpreted by SpamRankings.net
Graph by John S. Quarterman for SpamRankings.net.

That’s a pretty dense graph, and internally it’s interactive for easy interpretation, but the dark purple line is PSBL volume and the lines with dots are various botnets and the like detected for AS 8075 by CBL. We can drill down to which IP addresses are producing the spam indicated by such rankings and graphs.

The main point is even mighty Microsoft often emits spam. Any big corporation is likely to have similar problems, because, like in the case of medical organizations, they’re likely to have some employees who will fall for phishing or other exploits. Even the most Internet-security-savvy organization can’t catch them all. SpamRankings.net can help with that, both by providing incentive (do you want your organization to be at the top of the rankings?) and by providing drilldowns to help localize the problem (so you can fix it and brag about dropping off the rankings).

-jsq

Canada, land of spam plateaus on SpamRankings.net

Snowshoe spam took #1 in Canada again, through AS 32613 IWEB-AS, on the May 2012 SpamRankings.net. That was the first week of a spam plateau per ASN. The next week saw a platau for AS 33139 CANACA-210. And the next week it was AS 6407 PRIMUS. Canada, land of spam plateaus! Does this mean spammers are shifting from ASN to ASN for successive weeks of spam campaigns?

The old-time winners, AS 6327 SHAW and AS 577 BACOM, kept spamming away, and came in #2 and #6 again. That’s in the rankings from CBL data. In rankings from PSBL data, IWEB, SHAW, and BACOM were #1, #2, and #3.

We actually saw less spam in May (CBL data) from Bell Canada’s BACOM than for any month since March 2011, the first month of rankings for SpamRankings.net. Congratulations Bell Canada!

The rest of the top six were upstarts, not much seen until recently. Iweb did make a bid for the top back in September 2011, but its recent predominance dates only from February of this year.

-jsq

Global Crossing spam spike, November 2011

In the November SpamRankings.net from PSBL data, Global Crossing’s AS 3549 GBLX spiked on 17 November and a few days before, pushing it into fifth place.

Did this spam spike come from any particular botnet?


AS 3549 GBLX PSBL spam volume left axis, CBL botnet volume right axis
It looks like GBLX is infested with many botnets, but the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak on 16 Nov. Given that the ASN volume spike is from PSBL data and the botnet volume peak is from CBL data, a day off is plausible, due to different collection and delivery times.

There’s also a peak for grum (green line near the bottom) on 17 Nov, and peaks for festi and n/a on 18 Nov, where n/a is CBL’s marker for spam they detected without having to look as far as determining which botnet they think sent it.

So the spam spike could be from cutwail. Or it could be because of a coincidence of several botnet peaks. Or it could be some other botnet that happened to do a spam campaign on that day. Given that the PSBL GBLX peak builds up on 16 Nov, I’d guess it came mostly from cutwail.

We could try to resolve this question by digging into the specific addresses the GBLX spam PSBL saw came from and see if they match addresses CBL assigned to botnets.

-jsq

Cleveland Clinic spewing spam again

Here’s why to look at more than one spam data source: according to the PSBL volume data for November 2011, Cleveland Clinic’s AS 22093 CCF-NETWORK spewed more than a hundred spam messages a day on multiple days, while CBL volume data showed Cleveland Clinic with only 42 spam messages for the entire month. Apparently PSBL’s spamtraps happened to be in the path of this CCF spam.

Now a couple of hundred spam messages a day isn’t much by world organization standards, but compared to what we’d all like to see from medical organizations (zero), it’s a lot.

Also compared to the other medical institutions in the same rankings from the same data, the pie chart looks like Pac Man and the bar graph looks like a hockey stick.

Maybe Cleveland Clinic didn’t get the memo after all.

-jsq

The Big Drop: medical to zero in SpamRankings.net

A surprise in the July SpamRankings.net rankings: US medical rankings all went to zero by 14 July. World medical rankings went from hundreds and thousands to near zero between 17 and 24 July.

That’s in rankings from CBL data. PSBL shows much less data for medical organizations, yet nonetheless the same effect in both world and U.S. medical rankings.

No other rankings showed such a drop.

Did medical organizations actually clean up their act? Or did they just manage to whitelist their netblocks at CBL and PSBL?

Either way, it looks like they noticed SpamRankings.net.

-jsq

3FN + FTC = Some Less Spam From Some ASNs

A research project I’m assisting at the University of Texas at Austin notes that:
On Tuesday 2 June 2009, the U.S. Federal Trade Commission (FTC) took legal steps that shut down the web hosting provider Triple Fiber network (3FN.net).
2009-06-01--cbl-2.png

Looking at Autonomous Systems (ASNs) listed in the spam blocklist CBL, Continue reading