Tag Archives: snowshoe

Kelihos and Maazben botnets in U.S. October 2012 SpamRankings.net

We’ve seen that botnets Kelihos and Maazben account for most of the spam seen from the entirely-new worldwide top 10 in the October 2012 Kelihos rampage. What about a specific country? The October 2012 U.S. SpamRankings.net from CBL data U.S. top 10 SpamRankings.net are also entirely new (since last month): are all those U.S. ASNs ranked like that because of the Kelihos rampage? Two clues indicate yes: the shapes of the U.S. curves are very similar to those of the worldwide rankings, and the U.S. top 3 are in the worldwide top 10. But what about the rest of the U.S. top 10? Let’s drill down to botnets in U.S. October 2012 SpamRankings.net from CBL data:

Botnets in U.S. October 2012 SpamRankings.net from CBL data

We can see 9 out of the U.S. top 10 are there mostly because of Maazben or Kelihos, often alternating for the same ASN, in the same pattern as for the worldwide top 10. So yes, 9 are in the U.S. top 10 because of the Kelihos rampage.

The one exception is Continue reading

Grum down, but… 1 June 2012 – 30 July 2012, SpamRankings.net

Here is the promised followup to our look at the Grum botnet takedown, in which we have good news and not so good news.

A week ago we didn’t see much effect. As we noted, that was possibly because the takedown took down the command and control nodes, presumably leaving the bots still spewing whatever spam campaign they had already queued up.

Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs:

Grum botnet and its top 10 ASNs

Grum botnet and its top 10 ASNs
Graph by John S. Quarterman for SpamRankings.net.

The updated Top 10 Botnets graph has good news and bad news:

Continue reading

Grum and other botnets, 1 June 2012 – 19 July 2012, SpamRankings.net

Apparently the grum botnet has been taken down, or at least its command and control structure. We don’t see a lot of change yet, but we’ll keep watching.

BBC News wrote today, Huge spam botnet Grum is taken out by security researchers: A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network….

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

Well, let’s have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday):

Top 10 Botnets

Dropouts on 26,27 June 2012 were due to software glitches on our end.
Graph by John S. Quarterman for SpamRankings.net from CBL data.

Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don’t really see Continue reading

Almost… FortressITX zero spam for one day then up in SpamRankings.net

AS 25653 FortressITX went to zero for one day, 15 May, in the May 2012  U.S. SpamRankings.net, but bounded back up to more than 294,000 spam messages a day a week later, placing #6 for the month as a whole.

This was the second time FortressITX made the U.S. top 10. It had been #9 in March, but had dropped out of the April 2012 U.S. rankings. And yes, it’s snowshoe spam. That ASN does show a few other problems, also not botnets.


Canada, land of spam plateaus on SpamRankings.net

Snowshoe spam took #1 in Canada again, through AS 32613 IWEB-AS, on the May 2012 SpamRankings.net. That was the first week of a spam plateau per ASN. The next week saw a platau for AS 33139 CANACA-210. And the next week it was AS 6407 PRIMUS. Canada, land of spam plateaus! Does this mean spammers are shifting from ASN to ASN for successive weeks of spam campaigns?

The old-time winners, AS 6327 SHAW and AS 577 BACOM, kept spamming away, and came in #2 and #6 again. That’s in the rankings from CBL data. In rankings from PSBL data, IWEB, SHAW, and BACOM were #1, #2, and #3.

We actually saw less spam in May (CBL data) from Bell Canada’s BACOM than for any month since March 2011, the first month of rankings for SpamRankings.net. Congratulations Bell Canada!

The rest of the top six were upstarts, not much seen until recently. Iweb did make a bid for the top back in September 2011, but its recent predominance dates only from February of this year.


CDM snowshoes to the top of the world in May 2012 SpamRankings.net

In addition to snowshoe spam taking 7 of the top 10 U.S. SpamRankings.net for May 2012, one of the snowshoe spamming companies, CDM, outspammed every other organization in the world! CDM’s AS 6428 outspammed even chronic world winner Vietnam PT.

In this graph, you can see CDM leap up from zero in March to 15.7 million spam messages in April and 48.8 million in May, and of course that’s just the messages caught by a few spamtraps.

The same spamtraps never saw more than 56 hosts sending all those messages. That was on 11 May 2012, when they saw 1,989,762 spam messages, for a ratio of 35,531 spam messages per sending host. That’s not exactly the old botnet low-and-slow technique. Snowshoe spam: it’s already in prime time!

And remember, CDM is not a hosting center: it’s an ISP. CDM continues to illustrate that snowshoe spam is no longer confined to the traditional profile of infesting hosting centers.


Snowshoe took all top 7 in May U.S. CBL SpamRankings.net

Snowshoe appeared to have been the source for spam from all of the top seven spamming organizations in the May 2012 top 10 SpamRankings.net for the U.S. from CBL data. Only 3 were traditional ISPs (two cable companies, Comcast and Charter, plus Global Crossing). Snowshoe spam accounted for all but about 5% of spam from the U.S. top 10. And we already knew snowshoe is not just for hosting companies anymore.

At what point is snowshoe spam no longer a temporary black swan phenomenon, and becomes a prevailing trend?


An ISP snowshoes ahead in spamming

Continuing the question of Ogee snowshoe: black swan or new strategy? let’s look at Ogee snowshoe spam in the first week of May 2012.

The two dotted lines trending down together in the middle are AS 29131 and AS 28178, and they both fit the traditional profile for snowshoe spam hosting sites, because they advertise hosting or colocation as their main services. AS 29131 is registered to RapidSwitch, which advertises dedicated servers, cloud solutions, and colocation. AS 28178, registered as Network Operations Center (NOC), which keeps on rolling waves of snowshoe spam, appears to be operating under the name BurstNet, which offers managed servers and co-location as its first two services.

However, the dotted line rising to the top right that pulled the solid overall snowshoe volume line back up is not a hosting center: it’s an ISP. CDM’s AS 6428 appears to be operating as Primary Network, whose first services are T-1 Internet access and metro Internet. And Primary Network is not alone. We’ve pulled out a list of all the ASNs affected by Ogee snowshoe so far, and quite a few of them are ISPs, some of them very well known ISPs.

Snowshoe: it’s not just for hosting centers anymore.


Ogee snowshoe: black swan or new strategy? SpamRankings.net

A week ago you may recall most of March’s crop of Ogee spamming ASNs had subsided. Yet there were some contenders coming up from the bottom right corner of the graph.

Some correspondents say snowshoe spamming such as Ogee is a black swan, unanticipated and short-lived. I say it may be a change in strategy. Others say the actual spam coming out of Ogee is not the same campaigns as we’ve seen from botnets, so spammers are not moving over. To which I say: yet. And if snowshoe spam is big enough to change worldwide SpamRankings.net, and if it continues, that’s a strategy change. We’ll see how all that goes.

Meanwhile, what’s happened in the last week or two?

Top 10 ASNs showing Ogee spam 2012-03-01 to 2012-04-25, SpamRankings.net.

A few of those contenders were just flashes in the pan. But others are still spamming increasingly more.


Which ASNs showed most Ogee snowshoe spam in March and early April?

Snowshoe spamming begins to look like a rising tide.

Peaking at the end of March 2012, the Ogee snowshoe spam winner is AS 16226 GNAXNET-AS – Global Net Access LLC. GNAXNet actually placed another Autonomous System in the same time frame, AS 3595.

U.S. Brinkster’s AS 33055 BCC-65-182-96-0-PHX finally cleaned up its act and went to zero Ogee volume 11 April 2012. Canada’s AS 32613 IWeb also went to zero on 23 March 2012.

On the other hand, it looks like a new surge of snowshoe spam is starting mid-April, including some organizations maybe not usually considered hosting companies, such as Cogent’s AS 174.

Meanwhile, Belarus’ AS 6697 BELPAK-AS already went from #7 to #5 worldwide in March, pushing Belarus up from #16 to #12 among countries.

And NOC’s AS 21788 keeps on rolling waves of snowshoe spam.

All these volume numbers and rankings are provisional, especially considering we’re seeing so many ASes and netblocks that were previously not spamming that we’re tuning our database to be sure we’re properly accounting for them all.

Nonetheless, it looks like snowshoe may be a rising spamming strategy.