[vox] Spam by ASN -- stats and stuff
Karsten M. Self
vox@lists.lugod.org
Wed, 10 Mar 2004 03:58:25 -0800
--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I've been taking a couple tacks on spam lately. One is the presumably
familar "it's an identification problem" approach of filtering. Given
that I can't actually bock spam at SMTP time (ISP intake), I get gobs of
it to look at. Which raises a second point: it's a hygiene issue.
More specifically: *three* networks account for over 25% of my current
spam. Two of these three don't use a Roman alphabet, and contribute
effectively nil legitimate mail. Point being: you can make a very
significant hit in your spam at very low cost by simply dropping such
traffic. Make decisions appropriate to your own needs.
It's possible to aggregate spam statistics by ASN (autonomous system
number) which identify autonomous systems -- essentially the networks
the Internet is internetworking between. ASNs describe a single scope
of control, and a pronounced tendency for spam to originate from an ASN
indicates either poor control, or active support, for spammers. This is
broader than some measures (DNSBLs provided by SpamCop, Spamhaus, SORBS,
or even SPEWS), but is more accountable than simply dropping _all_
traffic of a class regardless of administrative scope -- say a CCTLD or
all DUL/dynamic IPs. =20
Why?
An ASN represents a single accountable entity.
An ASN with a grossly excessive spam profile has a very serious problem
maintaining network security and integrity.
You can get ASN for a given IP via reverse DNS query at
asn.routeviews.org. Standard reversed dotted quad lookup, request a
text record, e.g.:
$ host -t txt 136.54.218.66.asn.routeviews.org
136.54.218.66.asn.routeviews.org text "19817" "66.218.52.0" "22"
136.54.218.66.asn.routeviews.org text "19817" "66.218.32.0" "19"
Which tells us that www.svlug.org is in ASN 19816. A 'whois' query on
"as19817" tells us that this is NCS DataCom.
I describe this in more depth at:
http://twiki.iwethey.org/Main/SpamByASN
Data below are culled from the runlogs of a LART script I've written,
which collects IP, ASN, various DNSBL lookup results, and other spam
characteristics at about the time of spam receipt. The scripts (which
require some tweakage) are available at
http://linuxmafia.com/~karsten/Doanload/SpamTools.tar.gz
ASN description is taken from (by preference) jwhois query 'as-name',
'descr', or a 'whois' query 'OrgName' field, depending on junk / blank /
nondescriptive data.
These results are mine, YMMV. Single point of measurement, dialup ISP
account, well publicized. I LART heavily, which may influence my spam
load up or down, or by origin. Time cutoffs are somewhat rough (give or
take a few hours). I'm arbitrarially cutting off reporting at the top
30 sources. Caveat emptor.
Incidentally, with March results to date, I'm seeing a 27%
month-to-month increase in spam.
Results for February, 2004 (complete):
Total spams: 4024
=20
Rank Cum % Pct Spams ASN Description
---- ----- ---- ----- ----- -------------
1 14.8% 14.8% 597 4766 KT-NET
2 20.3% 5.4% 219 n/a Query timed out
3 25.3% 5.0% 202 9318 HANARO-AS
4 29.0% 3.7% 150 7132 SBCIS-BACKBONE-ASN
5 31.5% 2.5% 101 6478 AT&T WorldNet Services=20
6 33.8% 2.3% 92 4134 CHINA-TELECOM
7 35.9% 2.1% 84 9277 THRUNET-AS-KR
8 37.9% 2.0% 81 4813 CHINANET-GD
9 39.8% 1.8% 74 3462 HiNet
10 41.4% 1.6% 64 1221 TELSTRA-AS
11 42.9% 1.5% 62 3352 Telefonica-Data-Espana
12 44.3% 1.4% 57 3215 France Telecom Transpac
13 45.7% 1.3% 54 3786 DACOM-NET
14 47.0% 1.3% 53 7018 AT&T WorldNet Services=20
15 48.0% 1.0% 40 6327 ASN-SHAW
16 49.0% 1.0% 40 10530 INTERPACKET
17 49.9% 0.9% 36 unk =20
18 50.7% 0.8% 33 7843 ADELPHIA-AS
19 51.5% 0.8% 33 7482 APOL
20 52.3% 0.8% 31 12491 IPPLANET-AS
21 52.9% 0.7% 27 20115 CHTR-BB
22 53.6% 0.6% 26 7015 Comcast Cable Communications Holdings, =
Inc=20
23 54.2% 0.6% 24 4837 China-Network-Communications-Group
24 54.7% 0.6% 23 9116 Goldenlines main autonomous system
25 55.3% 0.6% 23 4812 CHINANET-SH-AP
26 55.9% 0.6% 23 22047 VTRNet
27 56.4% 0.5% 22 4670 SHINBIRO-AS
28 57.0% 0.5% 22 22572 INFOSAT-IP
29 57.5% 0.5% 22 17175 NSS-UK
30 58.1% 0.5% 21 5615 TISNL-BACKBONE
Results for March, 2004 (partial):
Note: Telecom Namibia is largely present due to a single misconfigured
C/R system, and shouldn't be read as a representative experience.
=20
Total spams: 1494
Rank Cum % Pct Spams ASN Description
---- ----- ---- ----- ----- -------------
1 16.6% 16.6% 245 4766 KT-NET
2 21.3% 4.7% 70 7132 SBCIS-BACKBONE-ASN
3 25.6% 4.3% 64 9318 HANARO-AS
4 29.9% 4.3% 63 20459 Telecom Namibia
5 32.8% 2.9% 43 1221 TELSTRA-AS
6 35.5% 2.6% 39 4134 CHINA-TELECOM
7 37.8% 2.3% 34 4813 CHINANET-GD
8 39.4% 1.7% 25 3786 DACOM-NET
9 41.1% 1.6% 24 3352 Telefonica-Data-Espana
10 42.6% 1.5% 22 9277 THRUNET-AS-KR
11 44.0% 1.5% 22 3462 HiNet
12 45.1% 1.0% 15 3215 France Telecom Transpac
13 46.0% 0.9% 14 7018 AT&T WorldNet Services
14 46.9% 0.9% 13 9116 Goldenlines main autonomous system
15 47.8% 0.9% 13 20115 CHTR-BB
16 48.6% 0.8% 12 4812 CHINANET-SH-AP
17 49.4% 0.8% 12 unk
18 50.2% 0.8% 12 3269 ASN-IBSNAZ
19 51.0% 0.8% 12 22047 VTRNet
20 51.8% 0.7% 11 7482 APOL
21 52.5% 0.7% 11 6327 ASN-SHAW
22 53.2% 0.7% 11 - Query timed out
23 53.9% 0.7% 10 8151 Latin American and Caribbean IP address=
Regional Registry
24 54.6% 0.7% 10 6128 CV-INET
25 55.3% 0.7% 10 12491 IPPLANET-AS
26 55.9% 0.6% 9 27699 TSP
27 56.5% 0.6% 9 17175 NSS-UK
28 57.1% 0.6% 9 13066 RETECAL
29 57.6% 0.5% 8 9121 TTNet
30 58.2% 0.5% 8 4837 China-Network-Communications-Group
Peace.
--=20
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Rules of Spam: #3: Spammers are stupid.
--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFATwLhefG8443k044RAsIcAJ9oJ7fvUvK0bMwPfWNxjLL2hOfoiwCdGFTw
n4qrDmd3jv8NgPUKRmpz+fU=
=An6W
-----END PGP SIGNATURE-----
--FCuugMFkClbJLl1L--