Let’s look at the top 10 ASNs infested by Ogee according to spam volume
for 1 Feb 2012 to 12 Mar 2012:
Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)
It looks like Ogee is a new botnet, since all these top 10 ASNs came up from
zero volume before 18 February 2012.
The biggest initial peak in this graph is from
AS 21788 NOC, #1 in the
U.S. February top 10,
and the biggest late surge is from
AS 10439 CARINET, #8 in that same ranking.
Right below CARINET is AS 32613 IWEB-AS,
Canadian February #1.
The rest of the 8 Ogee-infested from the U.S. top 10 previously described
also are in there, except
AS 7796 ATMLINK
AS 13768 PEER1.
a huge surge in spam from some U.S. ASNs, mostly from ones that hadn’t
even been in the top 10 before, with possible correlations in
one ASN each from Peru and Canada.
Did all this spam come from the same botnet?
Maybe not all, but most.
Eight out of the U.S. top 10 for February show very close correlation
with one botnet, Ogee.
They are listed in the table on the right and shown in the chart below:
Left Axis: ASN volume (spam messages);
Right Axis: Botnet volume (dotted curves)
The chart also shows some ASNs reacted quickly and stopped the spamming,
while others got worse.
It’s a busy chart, so let’s look at simpler charts for one example
each of resilient and susceptible ASNs.
AS 21788 NOC was one of the first and worst affected by this spam surge:
Continue reading →
Did this spam spike come from any particular botnet?
AS 3549 GBLX PSBL spam volume left axis, CBL botnet volume right axis
It looks like GBLX is infested with many botnets, but
the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak
on 16 Nov.
Given that the ASN volume spike is from PSBL data and the botnet
volume peak is from CBL data, a day off is plausible, due to different
collection and delivery times.
There’s also a peak for grum (green line near the bottom) on 17 Nov,
and peaks for festi and n/a on 18 Nov,
where n/a is CBL’s marker for spam they detected without having to
look as far as determining which botnet they think sent it.
So the spam spike could be from cutwail.
Or it could be because of a coincidence of several botnet peaks.
Or it could be some other botnet that happened to do a spam campaign
on that day.
Given that the PSBL GBLX peak builds up on 16 Nov, I’d guess it
came mostly from cutwail.
We could try to resolve this question by digging into the specific
addresses the GBLX spam PSBL saw came from
and see if they match addresses CBL assigned to botnets.