l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2004 Mar 10 07:03

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Spam by ASN -- stats and stuff
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Spam by ASN -- stats and stuff



I've been taking a couple tacks on spam lately.  One is the presumably
familar "it's an identification problem" approach of filtering.  Given
that I can't actually bock spam at SMTP time (ISP intake), I get gobs of
it to look at.  Which raises a second point:  it's a hygiene issue.

More specifically:  *three* networks account for over 25% of my current
spam.  Two of these three don't use a Roman alphabet, and contribute
effectively nil legitimate mail.  Point being: you can make a very
significant hit in your spam at very low cost by simply dropping such
traffic.  Make decisions appropriate to your own needs.


It's possible to aggregate spam statistics by ASN (autonomous system
number) which identify autonomous systems -- essentially the networks
the Internet is internetworking between.  ASNs describe a single scope
of control, and a pronounced tendency for spam to originate from an ASN
indicates either poor control, or active support, for spammers.  This is
broader than some measures (DNSBLs provided by SpamCop, Spamhaus, SORBS,
or even SPEWS), but is more accountable than simply dropping _all_
traffic of a class regardless of administrative scope -- say a CCTLD or
all DUL/dynamic IPs.  

Why?

An ASN represents a single accountable entity.

An ASN with a grossly excessive spam profile has a very serious problem
maintaining network security and integrity.



You can get ASN for a given IP via reverse DNS query at
asn.routeviews.org.  Standard reversed dotted quad lookup, request a
text record, e.g.:

    $ host -t txt 136.54.218.66.asn.routeviews.org
    136.54.218.66.asn.routeviews.org text "19817" "66.218.52.0" "22"
    136.54.218.66.asn.routeviews.org text "19817" "66.218.32.0" "19"

Which tells us that www.svlug.org is in ASN 19816.  A 'whois' query on
"as19817" tells us that this is NCS DataCom.


I describe this in more depth at:

    http://twiki.iwethey.org/Main/SpamByASN


Data below are culled from the runlogs of a LART script I've written,
which collects IP, ASN, various DNSBL lookup results, and other spam
characteristics at about the time of spam receipt.  The scripts (which
require some tweakage) are available at

    http://linuxmafia.com/~karsten/Doanload/SpamTools.tar.gz

ASN description is taken from (by preference) jwhois query 'as-name',
'descr', or a 'whois' query 'OrgName' field, depending on junk / blank /
nondescriptive data.


These results are mine, YMMV.  Single point of measurement, dialup ISP
account, well publicized.  I LART heavily, which may influence my spam
load up or down, or by origin.  Time cutoffs are somewhat rough (give or
take a few hours).  I'm arbitrarially cutting off reporting at the top
30 sources.  Caveat emptor.

Incidentally, with March results to date, I'm seeing a 27%
month-to-month increase in spam.


Results for February, 2004 (complete):
  Total spams: 4024
  
  Rank  Cum %   Pct  Spams  ASN     Description
  ----  -----   ---- -----  -----   -------------
     1  14.8%  14.8%   597  4766    KT-NET
     2  20.3%   5.4%   219  n/a     Query timed out
     3  25.3%   5.0%   202  9318    HANARO-AS
     4  29.0%   3.7%   150  7132    SBCIS-BACKBONE-ASN
     5  31.5%   2.5%   101  6478    AT&T WorldNet Services 
     6  33.8%   2.3%    92  4134    CHINA-TELECOM
     7  35.9%   2.1%    84  9277    THRUNET-AS-KR
     8  37.9%   2.0%    81  4813    CHINANET-GD
     9  39.8%   1.8%    74  3462    HiNet
    10  41.4%   1.6%    64  1221    TELSTRA-AS
    11  42.9%   1.5%    62  3352    Telefonica-Data-Espana
    12  44.3%   1.4%    57  3215    France Telecom Transpac
    13  45.7%   1.3%    54  3786    DACOM-NET
    14  47.0%   1.3%    53  7018    AT&T WorldNet Services 
    15  48.0%   1.0%    40  6327    ASN-SHAW
    16  49.0%   1.0%    40  10530   INTERPACKET
    17  49.9%   0.9%    36  unk     
    18  50.7%   0.8%    33  7843    ADELPHIA-AS
    19  51.5%   0.8%    33  7482    APOL
    20  52.3%   0.8%    31  12491   IPPLANET-AS
    21  52.9%   0.7%    27  20115   CHTR-BB
    22  53.6%   0.6%    26  7015    Comcast Cable Communications Holdings, Inc 
    23  54.2%   0.6%    24  4837    China-Network-Communications-Group
    24  54.7%   0.6%    23  9116    Goldenlines main autonomous system
    25  55.3%   0.6%    23  4812    CHINANET-SH-AP
    26  55.9%   0.6%    23  22047   VTRNet
    27  56.4%   0.5%    22  4670    SHINBIRO-AS
    28  57.0%   0.5%    22  22572   INFOSAT-IP
    29  57.5%   0.5%    22  17175   NSS-UK
    30  58.1%   0.5%    21  5615    TISNL-BACKBONE



Results for March, 2004 (partial):

  Note: Telecom Namibia is largely present due to a single misconfigured
  C/R system, and shouldn't be read as a representative experience.
  
  Total spams: 1494

  Rank  Cum %   Pct  Spams  ASN     Description
  ----  -----   ---- -----  -----   -------------
     1  16.6%  16.6%   245  4766    KT-NET
     2  21.3%   4.7%    70  7132    SBCIS-BACKBONE-ASN
     3  25.6%   4.3%    64  9318    HANARO-AS
     4  29.9%   4.3%    63  20459   Telecom Namibia
     5  32.8%   2.9%    43  1221    TELSTRA-AS
     6  35.5%   2.6%    39  4134    CHINA-TELECOM
     7  37.8%   2.3%    34  4813    CHINANET-GD
     8  39.4%   1.7%    25  3786    DACOM-NET
     9  41.1%   1.6%    24  3352    Telefonica-Data-Espana
    10  42.6%   1.5%    22  9277    THRUNET-AS-KR
    11  44.0%   1.5%    22  3462    HiNet
    12  45.1%   1.0%    15  3215    France Telecom Transpac
    13  46.0%   0.9%    14  7018    AT&T WorldNet Services
    14  46.9%   0.9%    13  9116    Goldenlines main autonomous system
    15  47.8%   0.9%    13  20115   CHTR-BB
    16  48.6%   0.8%    12  4812    CHINANET-SH-AP
    17  49.4%   0.8%    12  unk
    18  50.2%   0.8%    12  3269    ASN-IBSNAZ
    19  51.0%   0.8%    12  22047   VTRNet
    20  51.8%   0.7%    11  7482    APOL
    21  52.5%   0.7%    11  6327    ASN-SHAW
    22  53.2%   0.7%    11  -       Query timed out
    23  53.9%   0.7%    10  8151    Latin American and Caribbean IP address Regional Registry
    24  54.6%   0.7%    10  6128    CV-INET
    25  55.3%   0.7%    10  12491   IPPLANET-AS
    26  55.9%   0.6%     9  27699   TSP
    27  56.5%   0.6%     9  17175   NSS-UK
    28  57.1%   0.6%     9  13066   RETECAL
    29  57.6%   0.5%     8  9121    TTNet
    30  58.2%   0.5%     8  4837    China-Network-Communications-Group


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Rules of Spam:  #3:  Spammers are stupid.

Attachment: signature.asc
Description: Digital signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!