SpamRankings.net About this Research Project

Outbound spam rankings as a proxy for organizational security
Spam as a sneeze for infosec disease

See NSF Grants
1228990, 0831338

Home

News 16 May 2013 15:29:35 EDT: Version 2 of SpamRankings.net

About this Research Project

April 2013 Rankings: OVH, Hanaro, and Strato top of the world in more precise rankings v2.

Overview

New and News

Frequently Asked Questions

Spam and Reputation

Publications

Contact

New and News (RSS)

New on the site

16 May 2013: April 2013 Rankings

OVH, Hanaro, and Strato at the top of world spamming. Rankings v2: more precise counts; slightly different order. Initially, we are only pubishing v2 for March and April 2013. In a few weeks we will publish the rest of the historical v2 rankings back to match the same months as the v1 rankings. Old v1 rankings will be kept online indefinitely for comparison, but all new rankings will be v2.

4 April 2013: March 2013 Rankings

AS 49879 HOSTHANE ISIK spammed enough in three days starting 26 March 2013 to make #4 spot for

Turkey from CBL data. TTnet AS 9121 spammed about 30% less, yet went from #2 to #1. Our new #2, hosting company Adeox's AS 42055 TAMER, went from zero to more than 15 million messages.

5 March 2013: February 2013 Rankings

New ASNs churning worldwide; WIN

keeps popping up in medical

, plus new Catholic Health Initiatives

5 February 2013: January 2013 Rankings

Most worsened: AS 10297 COLUMBUSNAP

, from #91 to #6 worldwide in January 2013.

Most improved: AS 48347 MTW-AS

, from #8 to less than 250. Surprise entrant: AS 8685 DORUKNET

. Still #1 for fourth month: AS 16276 OVH

7 January 2013: December 2012 Rankings

Most worsened was AS 35908 VPLSNET, which didn't even make the top 250 last month but made #5 worldwide in December 2012. And it's a nostalgic return by old-time winner AS 7643

VNPT-AS-VN, already up to #4.

26 December 2012: Webserver outage 23-25 December 2012

The webserver outage for

23-25 December 2012 due to disk failure is fixed now, with a more robust solution. None of the internal processing computers were affected, and no data was lost.

10 December 2012: November 2012 Rankings

One ASN new in the top 10 wasn't even in the top 250 before, AS 26592 Dominio BR Consultoria em Informatica Ltda.

9 November 2012: October 2012 Rankings

The Kelihos rampage pushed many countries U.S.

to the top of the world rankings.

10 October 2012: September 2012 Rankings

Four medical countries this month: Belgium Belgium was first at the beginning of the month, because WIN is back. Korea Korea shot up at the end of the month, because of Konkuk University Hospital's AS 38668 KONKUKHOSPITAL-AS-KR. Canada Canada came up from zero for a couple of weeks in the middle, due to eHealth Ontario's AS 21992 SSHA-ONE-ASN. Korea got really worse at the end of the month, but Canada also got worse.

Same four in PSBL rankings, and U.S. U.S. led both by a mile, as LSU Health Sciences Center - Shreveport lept to #1 with a two-week spam binge by its AS 18818 LSUHSCS-NET2, sending almost half of top 10 spam from medical organizations worldwide. Cleveland Clinic dropped to #2 in the CBL rankings, and JSIWMC also improved one rank.

5 September 2012: August 2012 Rankings

SAUDINet briefly sent less spam from Festi botnet but ended up #1 again, while

India's National Internet Backbone steadily got worse. TTNET and KOCNET swapped places for the first time ever in

Turkey and kept that country in the world top 3. Microsoft seventh time #1 in U.S. PSBL rankings! And Grum botnet is staging a comeback.

6 August 2012: July 2012 Rankings

Festi botnet pushed numerous ASNs to the top of their national rankings and the world, pushing

India,

Saudi Arabia, and

Turkey to the top of the world. Also Microsoft #1 again in U.S. PSBL rankings.

10 July 2012: Rankings for June 2012

1	(2)	AS 8075 MICROSOFT-CORP---MSN-AS-BLOCK
2	(1)	AS 36692 OPENDNS
3	(-)	AS 26769 BANDCON
4	(-)	AS 22414 CRAIGS-NET-1
5	(-)	AS 22822 LLNW
6	(-)	AS 10912 INTERNAP-BLK

Beating even OPENDNS, Microsoft took #1 in U.S. PSBL June 2012 rankings.

7 June 2012: Rankings for May 2012

Seven snowshoers in the

U.S. top 10 and only three ISPs. Plus Cleveland Clinic took #1 in worlwide medical rankings.

3 May 2012: Rankings for April 2012

Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. in rankings from PSBL data, pushing the U.S. to #1 worldwide.

5 April 2012: Rankings for March 2012

Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012.

6 March 2012: Rankings for February 2012

Back again, AS 21788 NOC took the top in

U.S. rankings, joined by seven newcomers. Something is amiss in the U.S.!

8 February 2012: Rankings for January 2012

PSBL data reveals

three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.

11 January 2012: PSBL October 2011 data

Several known problems with PSBL October 2011 data collection, delivery, and processing caused PSBL volume for that month to be very low and spotty. We managed to process more data since then, and have marked every October ranking as:

No PSBL data 1-5 October or ~~25-31~~ 24-26 and 30-31 October.

Corresponding changes for October and November rankings from PSBL data are marked with ~~strike-through for deletions~~ and underline for additions.

Cleveland Clinic now turns up in October for world medical and U.S. medical, also now noted in the November world medical and U.S. medical rankings.

5 January 2012: Rankings for December 2011

India spammed most worldwide,

while Bank of America topped one U.S. ranking, and CyberSURF peaked in Canada, but Cleveland Clinic cleaned up its act.

5 December 2011: Rankings for November 2011

Korea led the world in spam, Comcast got pushed to third in the U.S., yet spammed the most, and Cleveland Clinic and Sutter Health fell off the wagon.

21 November 2011: Country rankings

BRICs spam the world! China is only #13, but Brazil, Russia, and India (the other three BRICs) are in the top five countries by total spam messages for October 2011.

4 November 2011: Big Churn in the U.S.

Big churn in the U.S. this month included last month's winner vanishing, Comcast retaking the topspot but with only 2 out of the top 10, and colo FDCservers.net AS 30058 joined in at number ten.

4 November 2011: Rankings for October 2011

Worldwide rankings were pretty stable, while there was big churn in the U.S. this month.

6 October 2011: Canada Stirred Up

Surprise winner Canaca-com's AS 33139 took first place in the September 2011 Canada CBL Volume rankings, while long-time winner Bell Canada's AS 577 dropped to fifth place.

6 August 2011: Medical Still Clean, But One

After the Big Drop of 14 July, all

medical rankings stayed near zero, except for one; see

World rankings.

4 August 2011: The Big Drop

14 July was the Big Drop for

medical rankings.

US medical rankings all went to zero, and between 17 and 24 July,

World medical rankings went from hundreds and thousands to near zero. There was no such effect in any other rankings than medical.

4 August 2011: July 2011 rankings

Comcast took five out of the top ten

US rankings.

1 August 2011: Little tables 2 AS 9208 WIN BE

Small tables at the top of each ranking for a quick overview, with just six lines of just AS numbers and names (no organization names or URLs).

1	(-)	AS 23235 BOSMED-88-ENEWTON	US
2	(1)	AS 9208 WIN	BE
3	(2)	AS 22328 CSHS	US
4	(5)	AS 22083 MEMORIAL-HEALTH-CARE	US
5	(-)	AS 21992 SSHA-ONE-ASN	CA
6	(3)	AS 26199 NKCHA	US

The More link next to each little table leads to the big table.

1 August 2011: Labels inside bars

More legible bar graphs by putting the labels inside the bars.

26 July 2011: BE & TR

Astonishing rankings similarities from CBL and PSBL data, even though CBL sends us 400 times as much volume. Not just Skynet's overwhelming and growing spam dominance in Belgium

Belgium, but the next four or five ranks are the same. For and Turkey

Turkey, the orders drop off so rapidly after TTNet that rankings from PSBL data don't match CBL in the lower orders, yet many of the same organizations appear in rankings from both blocklists.

6 July 2011: PSBL volume and June

Added PSBL blocklist volume rankings to the CBL blocklist volume rankings, and updated both for June data. The PSBL rankings are similar to yet different from the CBL volume rankings. That makes eight rankings per month, with more coming.

29 June 2011: Canadian rankings

Added May, April, and March rankings for Canada

Canada. Shaw was ahead in March, but Bell Canada has led since then, beating challengers such as iWeb.

21 June 2011: FAQ

Added Frequently Asked Questions (FAQ).

16 June 2011: Logarithmic scale

Look below any big line chart and you'll find a link to click to change to logarithmic charts, and back to linear. Log charts make it easier to see ASNs when they have low volumes.

9 June 2011: Added In the News

Getting some nice news coverage!

7 June 2011: Rankings for May

WIN in

Belgium pulled ahead for May in the World

global medical rankings, but Cedars-Sinai Health Systems in the United States

U.S. shot up like a rocket at the end of the month, running away with first place for the final week. Cedars-Sinai looks set to recover the all-month leads it held in April and March.

In the all- United States U.S. rankings, 30217 DESYNC dropped to zero from 20 May on: most impressive! Even more impressive, 20228 PACNET-MX dropped from first place to zero from 12 May onwards.

May 2011: First rankings released

As SpamRankings.net goes public, the first rankings are for the World

world and for the United States

U.S.: all Autonomous Systems and medical ones.

Worldwide medical rankings for April 2011 show the top spamming Autonomous Systems (groups of IP addresses) as belonging to Cedars-Sinai Health Systems in the United States U.S., WIN in Belgium Belgium, and Konkuk University Hospital in Korea, South Korea. SpamRankings.net is all ears for feedback from ranked organizations.

In the News

16 May 2013 15:29:35 EDT, John S. Quarterman, Perilocity,
Version 2 of SpamRankings.net
“The April 2013 rankings include version 2 of the volume compilation method, with precise counts, resulting in slightly different ranking orders. For example, OVH, Hanaro, and Strato are the top three in both v1 and v2, but in a different order, in the April 2013 worldwide from CBL data.”
08 April 2013 18:13:41 EDT, John S. Quarterman, Perilocity,
Adeox or Tamer
“Google warns everyone away:”
4 April 2013 18:56:18 EDT, John S. Quarterman, Perilocity,
Odd goings-on in Turkey: March 2013 SpamRankings.net
“ AS 49879 HOSTHANE ISIK spammed enough in three days starting 26 March 2013 to make #4 in the March for Turkey from CBL data. TTnet's AS 9121 spammed about 30% less, yet went from #2 to #1. The new #2, hosting company Adeox's AS 42055 TAMER, went from zero to more than 15 million messages.”
21 March 2013 15:20:07 EDT, John S. Quarterman, Perilocity,
Anti-Spam Blocklists DDoSed Down
“ Spamhaus says it got a 75Gbps DDoS attack, according to Liam Tung with CSO Online (Australia) today:

Image credit: Cloudflare
”
14 March 2013 14:30:24 EDT, John S. Quarterman, Perilocity,
Current security models broken; need resilience; how about reputation?
“Resilience — building systems able to survive unexpected and devastating attacks — is the best answer we have right now. We need to recognize that large-scale attacks will happen, that society can survive more than we give it credit for, and that we can design systems to survive these sorts of attacks....”
01 March 2013 15:00:09 EST, John S. Quarterman, Perilocity,
An Eerie Silence on Cybersecurity
“Apparently it takes an alleged Chinese threat to get the New York Times to notice Internet security problems. The Times has escalated from a recent article to an editorial.”
25 February 2013 11:06:38 EST, John S. Quarterman, Perilocity,
Companies fear reputation for bad security
“
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee's vice president for threat research, wrote in his findings.
“In fact,” said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know.”
”
22 February 2013 06:28:10 EST, John S. Quarterman, Perilocity,
Primus dropped out of January 2013 Canada SpamRankings.net
“ The big winner was AS 7788 MAGMA-COMM, which dropped from #3 to #147 by decreasing from millions to less than a thousand spam messages in the January 2013 for Canada. Magma had a brief spate of Kelihos spam in the middle of the month, but it only lasted less than a week. Almost as good was AS 6407 PRIMUS-AS6407, dropping from millions the previous month to a few hundred thousand, and from #6 to #11. That one while beating its Kelihos problem, seems to have developed a Cutwail problem, which was sending increasingly more spam at the end of the month. Since Magma was bought by Primus in 2004, Primus gets double congratulations!”
19 February 2013 16:07:45 EST, John S. Quarterman, Perilocity,
Belgium: Easyhost still bad, Nucleus climbing, Stone dropped out in January 2013 SpamRankings.net
“ Easyhost's AS 49512 tripled its spam, sending 97% of the total top 10 spam in the January 2013 for Belgium. Easyhost did start dropping in the last week. Nucleus BVBA's AS 39318 came up from nowhere to #2 with more than a million spam messages, mostly in the last week. And Stone Internet Services' AS 39234 dropped like a rock, from 9,149 spam messages last month for #8, to only 2,944 this month and #20.”
11 February 2013 12:00:44 EST, John S. Quarterman, Perilocity,
DorukNet outspammed Turkey again in January 2013 SpamRankings.net
“This recent DorukNet peak that looks like Mt. Ararat was up to 13,569,282 on 18 January 2013, apparently from darkmailer2. DorukNet is actually improving since that peak, but meanwhile it managed to increase its December spam total of 54,803,032 to 324,544,788 in January 2013.”
5 February 2013, John S. Quarterman, Perilocity,
January 2013 SpamRankings.net
“Most worsened: AS 10297 COLUMBUSNAP , from #91 to #6 worldwide in January 2013. Most improved: AS 48347 MTW-AS , from #8 to less than 250. Surprise entrant: AS 8685 DORUKNET . Still #1 for fourth month: AS 16276 OVH .”
30 January 2013 17:25:49 EST, John S. Quarterman, Perilocity,
Darkmailer2 month in Canada December 2012 SpamRankings.net
“AS 7788 MAGMA-COMM, bought in 2004 by PRIMUS Telecommunications Group, peaked in the second week and then got a grip on its darkmailer2 spamming. AS 11342 PATHWAY really gave AS 32613 IWEB-AS a run for its money; both seem to have a darkmailer2 problem. Pathway went from 2,871 spam messages seen by CBL in November 2012 to 21,593,775 in December 2012: that's 7,521 times. However, iWeb once again won the spam-spewing month in Canada!”
16 January 2013 16:37:35 EST, John S. Quarterman, Perilocity,
Dark times in Turkey in the December 2012 SpamRankings.net
“Special congratulations to AS 44565 VITAL for a huge improvement! Congratulations to Niobe, Dogan, and Kibris for improving. And boo to TurkNet for actually spamming more even though it got pushed down out of the top 10.”
11 January 2013 11:30:43 EST, John S. Quarterman, Perilocity,
Medical churn in December 2012 SpamRankings.net
“Worst prize goes to #2 AS 21992 eHealth Ontario, which spewed 75 times more spam and pushed Canada to #2 in the country medical rankings. And almost all in two weeks! The only bright spot was that its apparent Kelihos infection seemed to be improving towards the end of the month.”
31 December 2012 09:15:48 EST, John S. Quarterman, Perilocity,
A Field Quasi-Experiment @ ICIS 2012
“Project participant Qian Tang presented at ICIS 2012 in Orlando, FL, 14 December 2012, a paper about comparisons of eight countries, in pairs, one of each pair ranked on and the other not. Statistical results indicate the rankings changed organizational spamming behavior.”
19 December 2012 14:58:50 EST, John S. Quarterman, Perilocity,
Vital Turkey, November 2012 SpamRankings.net
“Even while spamming a lot less, AS 44565 VITAL still placed #1 again for spewing spam from Turkey in the November 2012 from CBL data. Even as Vital got a handle on its Kelihos problem, AS 8386 KOCNET improved twice. Maybe KOCNET is finally getting a grip on its Festi problem. KOCNET's peak of 0.8 million messages in November is a lot less than its peak of 1.3 million in September, although still far too many.”
17 December 2012 12:19:04 EST, John S. Quarterman, Perilocity,
OVH: Kelihos or darkmailer? November 2012 SpamRankings.net
“OVH won again, more than doubling its spam spew of last month! This is in the November 2012 from CBL data. Is that 407,726,779 spam messages in a single month a record? Last month it was Kelihos. This month it looks like darkmailer.”
06 December 2012 12:41:52 EST, John S. Quarterman, Perilocity,
Turkey and Kelihos botnet rampage, October 2012 SpamRankings.net
“New Turkish #1 spammer AS 44565 VITAL TEKNOLOJI shows all the signs: rapidly increasing spamming and both Maazben and Kelihos botnets. The other new Turkish top 10 ASNs, AS 42868 NIOBE AS 44922 MEDYABIM-AS, AS 12599 ATLAS-AS AS 49632 DATATELEKOM and AS 12987 OMURGA, all show lesser but still distinctive signs of the Kelihos rampage, namely Maazben botnet plus other unknown botnets. They all also only surged for a week or two, while Vital continued upwards.”
03 December 2012 12:24:31 EST, John S. Quarterman, Perilocity,
Belgium has a Kelihos problem in October 2012 SpamRankings.net
“A few other botnets have a bit of Kelihos, but only the top 2 for Belgium are part of the Kelihos rampage. (Newcomer AS 9031 EDPNET has a Cutwail problem.)”
28 November 2012 13:41:36 EST, John S. Quarterman, Perilocity,
Canada and Kelihos in October 2012 SpamRankings.net
“Three of those relatively static four also were infested with Kelihos. (The fourth, AS 6407 Primus, had a Lethic problem.) While 25,000 spam messages a day, as seen by CBL for AS 6327 Shaw, is quite a sneeze, it's not much compared to the four million a day seen for AS 32612 iWeb. All four of these ASNs also occur in the PSBL top 10 for Canada, in the same order, which is more corroboration that PSBL and CBL are seeing much the same general phenomena, except only CBL is seeing the Kelihos rampage, presumably due to a different heuristic. Also, CBL #1 AS 32613 IWEB and #2 AS 852 Telus are PSBL #10 and #3, so six ASNn were in the Canadian top 10 from both CBL and PSBL data.”
27 November 2012 11:55:42 EST, John S. Quarterman, Perilocity,
Kelihos and Maazben botnets in U.S. October 2012 SpamRankings.net
“The one exception is U.S. #10, AS 6428 CDM, which we've seen snowshoe itself to the top of the world rankings for May 2012, so it's not surprising that CDM still has snowshoe problems. This time CDM seems to have recovered pretty quickly, actually.”
23 November 2012 10:16:08 EST, John S. Quarterman, Perilocity,
Why no kelihos rampage in PSBL October 2012 SpamRankings.net?
“What would be the point of having multiple rankings if they always showed the same results? But these are very different results: none of the CBL top 10 show up in the PSBL top 10! How can both the PSBL and CBL rankings be correct?
1. First, "correct" for such rankings does not mean completely accurate and it does not mean completely precise: no blocklist will ever detect every spam message emitted by every IP address. Suppose even mighty NSA (No Such Agency) were to copy every bit that passed over every major ISP in the U.S. Even that would miss some bits emitted by for example an ISP in Vietnam that spammed an ISP in India. And what heuristics would mighty NSA use to detect all the spam from all those bits? Would those heuristics happen to include the same one CBL is using to detect the Kelihos rampage? Would they include some further heuristic of which CBL has not yet thought that would detect some other rampage? Quite possibly yes and yes. Any rankings of anything on the Internet are always approximate records of hints and whispers of a constantly-shifting reality that can never be completely pinned down.
2. Second, correct for rankings means comparable among the ASNs ranked, so that they can be ranked. In that sense, yes, both the PSBL and CBL rankings are correct: they merely show different aspects of the spam symptom of defective infosec for the ranked ASNs.
3. Third, any systematically ranked symptom of poor infosec is important. Does any organization want any of its hosts to be spewing hundreds of thousands of spam messages a day, as in those ASNs in the CBL top 10? Does any organization want any of its hosts to be spewing enough spam in aggregate to turn up in the PSBL top 10? Probably not.
Besides, actually the CBL data does corroborate the PSBL data, when viewed in another set of rankings.”
21 November 2012 09:27:03 EST, John S. Quarterman, Perilocity,
Kelihos and Maazben botnets in October 2012 SpamRankings.net
“The pattern is easier to see if we look at a single ASN's botnets, such as #1 ranked AS 16276 OVH Systems: Overall spam volume for AS 16276 is indicated by the solid dark blue line. Maazben is the dotted cyan line peaking on 18, 23, and 29 October. Kelihos is the purple line peaking on 22, 26, and 30 October. There's also a green n/a line peaking on 24 October. This kind of choppiness switching back and forth between a couple of predominate botnets is a symptom of the same heuristic being used to detect both botnets. Whatever we call it, this botnet is wreaking havoc across the Internet in this Kelihos rampage.”
19 November 2012 14:27:10 EST, John S. Quarterman, Perilocity,
Kelihos rampage in October 2012 SpamRankings.net
“Those few addresses spewed so much spam they pushed entire countries, The Kelihos rampage pushed many countries, including France, Germany, Hong Kong, Thailand, Canada, Hungary, Belarus, Paraguay, Singapore(!), and Mexico, to the top of the countries ranking.”
31 October 2012 15:52:36 EDT, John S. Quarterman, Perilocity,
Botnets behind the late-month upswings in Belgium in the September 2012 SpamRankings.net?
“For Gateway's AS 25395, the problem is much more mixed, with some Festi, Cutwail, Lethic, Zeus, and various others.
”
23 October 2012 15:22:33 EDT, John S. Quarterman, Perilocity,
KOCNET outspams Turkey, gaining on TTNET's record in September 2012 SpamRankings.net
“More than two-thirds top-10 Turkish spam came from KOCNET in September 2012 for Turkey from CBL data. KOCNET's 68.5% is about the same as its 68.7% for August and more than TTNET's 65.2% for July but still not quite up to TTNET's record of 78.3% in June. However, in June TTNET only spammed 6,362,167 messages (as seen in the CBL data), while KOCNET spammed 28,937,997 in September, which beats TTNET's maximum messages a month in July 2011.”
18 October 2012 13:18:38 EDT, John S. Quarterman, Perilocity,
Global Crossing spammed the most from the U.S. in September 2012 SpamRankings.net!
“Yep, it's Festi for #1 GBLX, #2 AS 17184 ATL-CBEYOND, for #3 AS 7018 ATT-INTERNET4, #8 AS 7385 INTEGRATELECOM and #10 AS 1239 SPRINTLINK. Congratulations AT&T for making the list! Well, not really congratulations, since it means you let a lot of outbound spam out.”
16 October 2012 13:36:46 EDT, Sami Sainio, Perilocity,
ISPs, spam, and botnets? a case in Finland
“After the computer was through the LAN to the Internet for a while, the local ISP (Sonera) realized someone from HS-Works was connecting to a known botnet and acting in possibly malicious way. So what did the ISP do?”

12 October 2012 14:37:44 EDT, John S. Quarterman, Perilocity,

Data storage issues in SpamRankings.net

“Look just under any rankings chart for September 2012 and you'll see this notice:
CBL dropouts 8,11 September 2012 were on our end.
PSBL data is unusable 4-15 Sep 2012 due to problems on our end.

September 2012 World All SpamRankings.net from CBL Volume

1 (2) AS 9829 BSNL-NIB IN

2 (1) AS 25019 SAUDINETSTC-AS SA

3 (5) AS 6147 SAA PE

4 (3) AS 8386 KOCNET TR

5 (4) AS 7643 VNPT-AS-VN VN

6 (-) AS 9050 ROMTELECOM RO

”

11 October 2012 14:21:53 EDT, John S. Quarterman, Perilocity,
India outspammed the world in September 2012 SpamRankings.net
“ASNs in Saudi Arabia, Turkey, and Vietnam got better, but India, Peru, and Romania, picked up the slack. Is this more Festi festering in new ASNs in new countries? Stay tuned!”
02 October 2012 12:13:13 EDT, John S. Quarterman, Perilocity,
No Festi dip in LACNIC, July 2012 SpamRankings.net
“There was a dip in volume from the top 20 Festi-infested ASNs starting about 15 July 2012, bottoming out 21 July 2012, except one region's ASNs did not dip. The three Latin American ASNs in the Festi botnet top 20 spammers did not dip:
- AS 22927 TEL-ARGENTINA: Telefonica de Argentina
- AS 6147 SAA: Telefonica del Peru S.A.A.
- AS 7738 TELEMAR: Telecomunicacoes da Bahia S.A.
Those are the only three LACNIC ASNs in the top 20 ASNs for Festi. Perhaps NIC policies matter? Or maybe it's something in regional national infosec policies? It could still be national infosec policies, but why were all the other big Brazilian ASNs not Festi-infested? But wait! Two others also did not dip:”
27 September 2012 12:39:22 EDT, John S. Quarterman, Perilocity,
Terms of Service rankings
“According to Terms of Service; Didn't Read (TOS;DR),
“I have read and agree to the Terms” is the biggest lie on the web. We aim to fix that.
We are a user rights initiative to rate and label website terms & privacy policies, from very good Class A to very bad Class E
”
24 September 2012 17:34:09 EDT, John S. Quarterman, Perilocity,
Reputation as Public Policy for Internet Security @ TPRC 2012
“Blog readers will notice the TPRC presentation excerpted Grum botnet is staging a comeback and extended Festi botnet infesting the world, July 2012 as well as making use of the numerous medical posts, while attempting to pull that and other material together in aid of motivating and describing the intended field experiments and their potential policy implications. As Prof. Andrew B. Whinston said to Network World a couple of months ago:
We're not trying to solve the spam issue. We're trying to deal with the broader issue of whether companies should publicly report security issues.
”
20 September 2012 11:15:40 EDT, John S. Quarterman, Perilocity,
Festi in the rest of the top Turkish 7 SpamRankings.net 2012-08 CBL data
“The next five are AS 12735 ASTURKNET, AS 12978 DOGAN-ONLINE, AS 16135 TURKCELL, AS 29179 KIBRISONLINE-AS, and AS 8517 ULAKNET, in the August from both CBL and PSBL data.
You guessed it: they're all infested with Festi botnet, too.”
13 September 2012 13:16:31 EDT, John S. Quarterman, Perilocity,
Spam externality cost ratio higher than stealing cars: what to do about that?
“Now, in a new paper in the Journal of Economic Perspectives, Justin Rao of Microsoft and David Reiley of Google (who met working at Yahoo) have teamed up to estimate the cost of spam to society relative to its worldwide revenues. The societal price tag comes to $20 billion. The revenue? A mere $200 million. As they note, that means that the "'externality ratio' of external costs to internal benefits for spam is around 100:1. Spammers are dumping a lot on society and reaping fairly little in return." In case it's not clear, this is a suboptimal situation.”
07 September 2012 13:11:29 EDT, John S. Quarterman, Perilocity,
Festi pushes KOCNET to #1 in Turkey and #3 in the world
“Both ISPs hit a Festi low on 21 July, which raises the speculation that that low had nothing to do with infosec efforts by the ISPs, and more to do with something going on inside Festi. After that low, TTNET briefly started back up with Festi, but then dropped down. KOCNET just kept going up. Up so far that KOCNET made #3 in the world in rankings from CBL data and #4 in the world in rankings from PSBL data, pushing Turkey itself up to #4 (CBL) and #5 (PSBL).”
04 September 2012 10:35:25 EDT, John S. Quarterman, Perilocity,
Grum botnet is staging a comeback
“Let's compare the July 2012 Grum botnet top 10 ASNs to the August 2012 top 10. Still spewing spam from Grum in August were India's AS 9829 BSNL-NIB - National Internet Backbone Korea's AS 4766 KIXS-AS-KR - Korea Telecom and Vietnam's AS 7643 VNPT-AS-VN - Vietnam Posts and Telecommunications (VNPT). Is there a pattern there? National government-sponsored Internet backbones don't clean up their spam-spewing botnet act well?”
04 September 2012 09:20:49 EDT, John S. Quarterman, Perilocity,
TTNET ejected Festi but still infested with Lethic and other botnets 2012-07,2012-08
“However, Festi is still in there, and TTNET has other problems, as well, including Lethic, Cutwail, Waledac, Maazben, and even Grum(!) botnets, plus Sendsafe.”
24 August 2012 10:00:24 EDT, John S. Quarterman, Perilocity,
John Quarterman on Mapping Spam and Politics (audio)
“John S. Quarterman, long time Internet denizen, wrote one of the seminal books about networking prior to the commercialization of the Internet. He co-founded the first Internet consulting firm in Texas (TIC) in 1986, and co-founded one of the first ISPs in Austin (Zilker Internet Park, since sold to Jump Point). He was a founder of TISPA, the Texas ISP Association. Quarterman was born and raised in Lowndes County, where he married his wife Gretchen. They live on the same land where he grew up, and participate in local community and government. Quarterman took some time during Georgia River Network's Weekend for Rivers to speak with the Nonprofit Snapshot about spam-mapping and small town politics.”
23 August 2012 15:10:43 EDT, John S. Quarterman, Perilocity,
eHealth Ontario tops worldwide medical spammers SpamRankings.net
“The blue dotted line indicates spam from Festi, which, as you can see, tracks pretty closely with total spam seen from AS 21992.”
21 August 2012 08:39:53 EDT, John S. Quarterman, Perilocity,
Festi botnet in July 2012 U.S. Medical SpamRankings.net from CBL
“AS 17311 ECMC-BGP was infested with Festi (blue curve on the right) at the same time as AS 122, and AS 17311 earlier had a Cutwail botnet problem (lower green curve on the left). Cleveland Clinic's AS 22093 CCF-NETWORK had a Festi problem (blue curve on the left) and then some unknown botnet infestation (red curve in the middle). Englewood Hospital's AS 17344 ENGLEWD-AS had a Cutwail problem (upper green curve) the same time as Erie County's AS 17311 ECMC-BGP did.”
21 August 2012 08:56:35 EDT, John S. Quarterman, Perilocity,
Pittsburgh back in the top 10 for spam from U.S. medical organizations
“University of Pittsburgh Medical Center's AS 122 U-PGH-NET-AS and Erie County Medical Center's AS 17311 ECMC-BGP not only took #1 and #2, they also spammed longer than other medical ASNs. That jumped them up 8 ranks each in one month.”
14 August 2012 12:03:57 EDT, John S. Quarterman, Perilocity,
WIN finally got the no medical spam memo in March 2012
“It looks like WIN finally got the memo in March 2012 and has been improving since then.”
06 August 2012 08:21:42 EDT, John S. Quarterman, Perilocity,
Festi botnet infesting the world, July 2012
“Taking off like a rocket was SaidiNet's AS 25019 SAUDINETSTC-AS of Saudi Arabia. Rising almost as fast was National Internet Backbone's AS 9829 BSNL-NIB of India. Also on an upwards path was academic network AS 8386 KOCNET of Turkey.”
30 July 2012 14:34:20 EDT, John S. Quarterman, Perilocity,
Grum down, but... 1 June 2012 - 30 July 2012, SpamRankings.net
“Well, apparently that campaign ran out, because they stopped spewing. Here is an updated graph of grum botnet and its top 10 ASNs.”
26 July 2012 12:41 EDT, Tim Greene, Network World,
Study: Microsoft repeatedly ranks as top U.S. spammer; University of Texas project calls attention to problem in effort to reduce spam, improve security
“Based on results culled from spam block lists, researchers found that Microsoft IP addresses were responsible for a big enough volume of spam to top their SpamRankings.net list for the U.S. in April and May 2011, and in March, April and June of this year, which is the latest ranking, says John S. Quarterman, a senior researcher with the project at the McCombs School of Business at UT Austin.”
20 July 2012 15:38:40 EDT, John S. Quarterman, Perilocity,
Spam from Microsoft's AS 8075 April 2011-June 2012
“The main point is even mighty Microsoft often emits spam. Any big corporation is likely to have similar problems, because, like in the case of medical organizations, they're likely to have some employees who will fall for phishing or other exploits. Even the most Internet-security-savvy organization can't catch them all. SpamRankings.net can help with that, both by providing incentive (do you want your organization to be at the top of the rankings?) and by providing drilldowns to help localize the problem (so you can fix it and brag about dropping off the rankings).”
19 July 2012 13:06:24 EDT, John S. Quarterman, Perilocity,
Grum and other botnets, 1 June 2012 - 19 July 2012, SpamRankings.net
“Well, let's have a look. Here are the top 10 botnets for 1 June 2012 through today (GMT, i.e., really yesterday). Grum is that blue-green line running near the bottom, showing about 1 to 2 million spam messages a day. Grum was the third spammiest botnet during that period (not counting n/a, which is spam detected without having to dig into what botnet it came from), so taking grum down is a big deal. However, we don't really see much decrease in grum, except maybe on the last day shown. And we do see a huge decrease in lethic, which is the dark green line that plummets from almost 6,000,000 on 3 July to less than 121,000 on 19 July. And we see a big increase in festi, the bright green line that comes up from less than 832,000 on 28 June to almost 6,000,000 on 8 July, and then drops back to around 3,000,000. Compared to lethic and festi, nothing much has happened to grum yet.”
11 July 2012 13:03:45 EDT, John S. Quarterman, Perilocity,
Microsoft back on top in June SpamRankings.net
“In other news, Bell Canada's AS 577 BACOM actually dropping off the Canadian June 2012 rankings from CBL data. Shaw took #1 and Iweb dropped to #2.”
21 June 2012 12:33:41 EDT, John S. Quarterman, Perilocity,
Cleveland Clinic wins one way, then another, in SpamRankings.net
“Yet AS 22093 CCF-NETWORK dropped like a rock on 7 May 2012, going to zero the next day, and staying there. So Cleveland Clinic also was most improved for May 2012 medical organizations. Congratulations, Cleveland Clinic!”
20 June 2012 09:19:58 EDT, John S. Quarterman, Perilocity,
Canada, land of spam plateaus on SpamRankings.net
“The old-time winners, AS 6327 SHAW and AS 577 BACOM, kept spamming away, and came in #2 and #6 again. That's in the rankings from CBL data. In rankings from PSBL data, IWEB, SHAW, and BACOM were #1, #2, and #3.”
19 June 2012 09:32:36 EDT, John S. Quarterman, Perilocity,
SuperOnline dropped off May 2012 Turkey top 10 SpamRankingsnet
“Perpetual winner and still champion for spewing spam from Turkey is TTNET's AS 9121, accounting for almost 3/4 of all spam seen from Turkey seen by CBL. SpamRankings.net saw about the same proportion of Turkish spam coming from TTNET in data from PSBL.”
18 June 2012 13:39:07 EDT, John S. Quarterman, Perilocity,
Stone Internet Services' AS 39234 dropped like a rock in May 2012 SpamRankings.net
“And Uganda Telecom's AS 21491 started up like a rocket at the end of the month, going from 1,046 on 26 May to 4,213 on 31 May, a 300% increase. ”
12 June 2012, John S. Quarterman, Perilocity,
CDM snowshoes to the top of the world in May 2012 SpamRankings.net
“The same spamtraps never saw more than 56 hosts sending all those messages. That was on 11 May 2012, when they saw 1,989,762 spam messages, for a ratio of 35,531 spam messages per sending host. That's not exactly the old botnet low-and-slow technique. Snowshoe spam: it's already in prime time!”
7 June 2012, John S. Quarterman, Perilocity,
Snowshoe took all top 7 in May U.S. CBL SpamRankings.net
“Snowshoe appeared to have been the source for spam from all of the top seven spamming organizations in the May 2012 top 10 SpamRankings.net for the U.S. from CBL data. Only 3 were traditional ISPs (two cable companies, Comcast and Charter, plus Global Crossing). Snowshoe spam accounted for all but about 5% of spam from the U.S. top 10. And we already knew snowshoe is not just for hosting companies anymore.”
01 June 2012, John S. Quarterman, Perilocity,
A few bad stones can darken an organization's SpamRankings.net
“Take Stone Internet Services AS 39234 STONE-IS, which is the green line climbing to the top of the Belgium April 2012 rankings in the graph to the right. On 30 April CBL caught more than 8,000 spam messages coming from STONE-IS, yet CBL only saw spam coming from a max of 3 STONE-IS IP addresses during that month.”
29 May 2012, John S. Quarterman, Perilocity,
Congratulations to Israel and Spain for dropping out of April World SpamRankings.net!
“Not so lucky were the U.K. and Turkey, which joined the top 20.”
22 May 2012, John S. Quarterman, RIPE Labs,
A Year of SpamRankings.net: Medical Organizations
“So it seems that these peer rankings are working for the actual peers shown in the rankings, but as much not for the one non-peer organization. Recent statistical analysis (submitted for publication elsewhere) indicates that this is indeed the case.”
09 May 2012, John S. Quarterman, Perilocity,
An ISP snowshoes ahead in spamming
“However, the dotted line rising to the top right that pulled the solid overall snowshoe volume line back up is not a hosting center: it's an ISP. CDM's AS 6428 appears to be operating as Primary Network, whose first services are T-1 Internet access and metro Internet. And Primary Network is not alone.”
4 May 2012, John S. Quarterman, Perilocity,
Microsoft, world leader in Internet security: and spamming?
“And of course Microsoft probably doesn't mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here's hoping they clean it up soon!”
26 April 2012, John S. Quarterman, Perilocity,
Ogee snowshoe: black swan or new strategy?
“Others say the actual spam coming out of Ogee is not the same campaigns as we've seen from botnets, so spammers are not moving over. To which I say: yet. And if snowshoe spam is big enough to change worldwide SpamRankings.net, and if it continues, that's a strategy change. We'll see how all that goes.”
16 April 2012, John S. Quarterman, Perilocity,
Ogee pushed iWeb and Canada up SpamRankings.net in March 2012
“AS 32613 IWEB-AS was far ahead of the Canadian spamming pack in the March 2012 SpamRankings.net. iWeb improved a lot towards the end of the month, but will it stay improved? AS 14366 MTNCABLE plateaued early, dropped, then took first at the end of the month. Could they have the same problem?”
12 April 2012, John S. Quarterman, Perilocity,
Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012 SpamRankings.net
“But the US ASNs that got worse pushed the U.S. to #1 spamming country. The slope of that U.S. world top 10 curve for the last dozen days of March looks just like the Brinkster and CARINET ASN curves in the U.S. top 10. Very impressive, to drive the whole country into the countries top 10!”
12 March 2012, John S. Quarterman, Perilocity,
Did the February 2012 spam surge come from one botnet?
“SpamRankings.net saw a huge surge in spam from some U.S. ASNs, mostly from ones that hadn't even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?”
8 March 2012, John S. Quarterman, Perilocity,
Big U.S. Spam Spike in February 2012 SpamRankings.net
“In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn't place in the top 10 at all, for the first time in recent memory!”
16 February 2012, John S. Quarterman, Perilocity,
Is January's medical spam caused by botnets?
“Remember those three spamming medical organizations PSBL saw and the spike from CSHS that SpamRankings.net found in CBL data? Digging into the underlying data, and graphing them all on the same chart, we see this:”
15 February 2012, John S. Quarterman, Perilocity,
CSHS is back in January 2012 SpamRankings.net
“In SpamRankings.net, January PSBL data reveals three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.”
31 January 2011, John S. Quarterman, Perilocity,
Global Crossing spam spike, November 2011
“It looks like GBLX is infested with many botnets, but the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak on 16 Nov.”
5 January 2011, John S. Quarterman, Perilocity,
India, Bank of America, and CyberSURF: December 2011 SpamRankings.net
“ In SpamRankings.net for December 2011, worldwide India spammed the most, while Bank of America topped one U.S. ranking, and CyberSURF peaked in Canada, but Cleveland Clinic cleaned up its act.”
15 December 2011, John S. Quarterman, Perilocity,
Comcast pushed out of first, yet wins November U.S. SpamRankings.net
“AS 20214 COMCAST-20214 did spam a third less (1,503,173 spam messages) than last month (2,193,898), but it was the spontaneous spam spewing of the two top place newcomers that pushed it down to third place. Yet Comcast really won the month. It took 4 of the top 10 (places 3, 6, 7, and 10), which is twice as many as last time, and accounted for 30.29% of top 10 spam spewed, up from 23.9% last time.”
5 December 2011, John S. Quarterman, Perilocity,
Cleveland Clinic spewing spam again
“Now a couple of hundred spam messages a day isn't much by world organization standards, but compared to what we'd all like to see from medical organizations (zero), it's a lot.”
21 November 2011, John S. Quarterman, Perilocity,
China does not lead Country Rankings from SpamRankings.net
“China is only #13, but Brazil, Russia, and India (the other three BRICs) are in the top five countries by total spam messages for October 2011. U.S. is #10.”
15 November 2011, John S. Quarterman, Perilocity,
What is IPWORLDNET and why is it spamming from Canada?
“Last month's winner, Canaca-com's AS 33139 CANACA-210, came in second.

From there down it's mostly the usual suspects in slightly different orders. Interestingly, longterm winner Bell Canada's AS 577 BACOM only came in fourth. This is unusual for a national telco. Maybe they're watching the rankings?”
10 November 2011, John S. Quarterman, Perilocity,
Big Churn in the U.S. in October SpamRankings.net
“All that and Numbers 2 and 3 didn't even place last month. #3 AS 25653 FORTRESSITX jumped up from about a thousand spam messages a day to more than 200,000 and then back down. #2 AS 23376 APPSERVE came up from zero on 11 October to more than 225,000, dropped back briefly to zero on 22 October, and then resumed at around 65,000 a day. Both of those cases look suspiciously like single botnet infestations.”
24 October 2011, John S. Quarterman, Perilocity,
How to leverage botnet takedowns
“Most of the paper is about effects of a specific takedown (March 2011) and a specific slowdown (December 2010) on specific botnets (Rustock, Lethic, Maazben, etc.) and specific ASNs (Korea Telecom's AS 4766, India's National Internet Backbone's AS 9829, and many others). ... The detailed drilldowns also motivate a higher level policy discussion.”
27 September 2011, Matt Turner, Texas Enterprise,
Spam Spanking
“Why publish ranked lists of spamming organizations, which most likely don't even know their computers are infected? If you knew which department store in your area had the highest theft rate, would you shop there? Perhaps, since the store's loss does not threaten you personally. But what if you knew which bank had the worst record for identity theft? Are you just as likely to be its customer? What's at stake is the level of perceived threat.
The Spam Rankings project's leaders hope you will recognize spam as more than annoying clutter. Far from a mere nuisance, they suggest, spam is the smoke that signals a dangerous fire. Spam at its worst poses a security threat and portends infection and theft.”
24 September 2011, John S. Quarterman, Serpil Sayin, Andrew B. Whinston, TPRC 2011,
Rustock Botnet and ASNs
“Knock one down, two more pop up: Whack-a-mole is fun, but not a solution. Need many more takedowns, oor many more organizations playing. How do we get orgs to do that? ...
Most orgs keep security problems secret because they think it will harm their reputation. Ahah! Publish reputation and they'll care.”
29 August 2011, John S. Quarterman, RIPE Labs,
The Big Medical Drop in SpamRankings.net
“The listing on your site added additional impetus to make sure we 'stay clean' so in that regard, you are successful. —Medical org. security expert”
20 June 2011, Samuel Greengard, CACM,
How Much Spam Does Your Company Unknowingly Send?
“...300 spam messages per month. Worse, these missives—fraught with malware and phishing schemes—potentially wreak havoc with computers.”
17 June 2011, Sue Walsh, All Spammed Up,
University of Texas Publicizes Known Spam Havens
“If a company or organization makes it on the site it means their IPs have found their way onto a blacklist for sending spam. Spammers love to find open proxies and unprotected FTP accounts and often use a company's servers to host a botnet's command and control servers. Last year both Twitter and Amazon fell victim to this. The poor security measures that invite spammers to do things like this are also responsible for data theft, as Sony, Citigroup and Epsilon have found out the hard way.”
9 June 2011, Lindsey Rattikin, The Horn,
UT launches website to combat spam
“Everyone knows the frustration that comes along with opening your email account only to have to sift through countless spam messages about "free iPads" or "island getaways." Just by giving your email address out to one questionable institution, your message box can become so flooded that it becomes impossible to find the emails you actually need to read. A group at the University of Texas, the Center for Research in Economic Commerce (CREC), is trying to tackle this problem, one institution at a time.”
8 June 2011, Fahmida Y. Rashid, eWeek.com,
UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers
“Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose.”
8 June 2011, Justin Lee, Web Host Industry Review,
University of Texas Launches Website that Publicizes Spam Sources
“Poor security measures lead to spam and data theft, where botnets are used to send spam using computers hijacked without the knowledge of their owners.
And although it has yet to be proved whether people consider an organization's spam rankings when choosing a bank, health care provider, SpamRankings is certainly a useful resource to have when qualifying an organization's security measures.”
7 June 2011, John S. Quarterman, Perilocity,
Krebs on SpamRankings.net
“...organizations that do better over time may want to brag, as has happened with a couple of U.S. organizations in May.”
7 June 2011, Brian Krebs, Krebs on Security,
Naming & Shaming Sources of Spam
“I applaud this effort, and hope that it gains traction. I remain convinced that the Internet community would benefit from a more comprehensive and centralized approach to measuring badness on the Web. There are many existing efforts to measure reputation and to quantify badness online, but most of those projects seek to enumerate very specific threats (such spam or hacked Web sites) and measure the problem from a limited vantage point. What is lacking is an organization that attempts to collate data collected by these disparate efforts and to publish that information in near real-time.”
1 June 2011, physorg.com,
Ranking seeks to protect internet users from data theft by exposing flagrant spam havens
“The connection between spam and data theft is poor computer security. Spammers use what are called botnets to send spam using computers hijacked without the knowledge of their legitimate owners.”
1 June 2011, Team Cymru, Twitter,
SpamRankings.net: ID'ing major #spam havens
“uses our IP to ASN lookup service http://bit.ly/mJO0w4”
1 June 2011, Jessica Farrar, MCombs Today,
New Ranking Warns Internet Users about Online Spam Havens
31 May 2011, myScience,
Ranking Seeks to Protect Internet Users from Data Theft by Exposing Flagrant Spam Havens

Press Releases

Ranking Seeks to Protect Internet Users from Data Theft by Exposing Flagrant Spam Havens: May 31, 2011 AUSTIN, Texas — The Center for Research in Economic Commerce (CREC) at The University of Texas at Austin has unveiled an initiative called SpamRankings.net, designed to protect Internet users by identifying major havens for spam.
"Nobody wants to do business with a bank or hospital or Internet hosting company that has been hijacked by spammers," said center Director Andrew Whinston. "It is an environment in which user data can be stolen or compromised."

Outbound spam rankings as a proxy for organizational security Spam as a sneeze for infosec disease