Discussion:
Research-y
(too old to reply)
Barry Shein
2013-03-26 17:15:40 UTC
Permalink
Here's a research-y topic:

How will the various expansions of the network space affect spam and
related? Can we put more flesh on these bones than "a lot!"

1. IPv6 address space expansion
2. 1000+ new TLDs
3. IDN (Int'l'ized domain names, Chinese, Arabic, etc)
4. Just growth in general, any correlation worth reporting
or extrapolating?
5. Expansion of mobile etc (smartphones, tablets.) Have there
been any smartphone botnets (yet)?
6. Evolution of internet governance, for example would entry
of the ITU/WCIT as a significant governance/regulatory body
affect current or likely anti-spam measures? Jurisdiction?

One issue I see is that every govt'l or pseudo-govt'l body which steps
up to the plate imagines in their mind's eye that they merely need to
identify what they don't want (e.g., their culture's definition of
"porn"), say it must not be possible -- think of the children!, and
that makes it so.

I often suggest back that humanity would be better served if they
would just outlaw cancer.

But expansion and diffusion of internet governance loci (since no
one's in charge of the internet everyone's in charge) is growing
rapidly as lawmakers around the world discover its power. Even the
Pope tweets!

Seems like a big subject, yet important enough to be able to say some
general words on each topic as a group.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2013-03-26 18:07:55 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I'm going to have one more go at sending email to this list to determine
if the list owner has finally fixed the censoring block (it's hardly
"anti-spam" if it discards irrespective of content) -- which means that
everything I have tried to say so far has been discarded...

- -=-=-
Post by Barry Shein
How will the various expansions of the network space affect spam and
related? Can we put more flesh on these bones than "a lot!"
we could probably say, "not very much"
Post by Barry Shein
1. IPv6 address space expansion
Some people seem determined to continue to give reputations to IPv6
addresses (rather than moving to some other descriptor). That means that
in such a world it is entirely rational for large providers (where large
might be a 100 customer ESP company, or a brand with x00 million
customers) their own IPv6 address (range?) each.

That way each individual marketer or each individual webmail account
holder gets to maintain their own reputation -- and the recipient system
can check the reputation without all the hassle of parsing From: data
and checking the crypto is sufficiently valid to trust it.

This will be a mess, but a relatively tractable one ...

For everyone else it's merely a case of documenting the cut-point (the
size of their IPv6 allocation) and treating every address within that
range the same. Whether we'll see public services providing data about
cut point or whether you will buy in the dataset from reputation
specialists is currently unclear.

However this may never happen.

It is quite possible that IPv6 will only ever (for a decade or more) be
used for mail transfer from end users to smarthosts (where possession of
appropriate local identification credentials will be what matters) --
and smarthosts will continue to talk solely over IPv4 to each other ...

Essentially the ecosystem will treat possession of an IPv4 address as a
"clue test" and it will be seen as an easy way of excluding end user
address space without all the bother of consulting incomplete databases
or speculatively parsing reverse DNS strings
Post by Barry Shein
Seems like a big subject
, yet important enough to be able to say some
general words on each topic as a group.
The actual research is to document, on an ongoing basis, the amount of
email transferred between MTAs by IPv6 -- preferably excluding the
"early adopter" community who have been doing it in order to provide PR
for IPv6 rather than because of any real perceived value.

- --
Dr Richard Clayton <***@cl.cam.ac.uk>
tel: 01223 763570, mobile: 07887 794090
Computer Laboratory, University of Cambridge, CB3 0FD

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUVHj++INNVchEYfiEQIrugCg2Qo5ceDk8iUWEkfR+v3Jmi1Cer0AoPYg
wpTP4kAfKW95GeTpZwWXkPkc
=UjIq
-----END PGP SIGNATURE-----

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2013-03-26 23:54:39 UTC
Permalink
Post by Richard Clayton
I'm going to have one more go at sending email to this list to determine
if the list owner has finally fixed the censoring block (it's hardly
"anti-spam" if it discards irrespective of content) -- which means that
everything I have tried to say so far has been discarded...
Well, here's a question. Richard was sending mail from Demon, which a
long time ago was squeaky clean, but in recent years has sent 100%
spam to my network until a few messages he tried to send last week.
(I have logs.)

It's a wide range of spam. One recent example was some sort of
religious press release sent to an address that sorta kinda used to be
OK and was on some 1995 list of editors, but has been rejecting mail
for many years. A lot of it is 419 spam. But other than his
messages, it's all been spam.

So how do I tell the 100% spam sources that might turn out to be
99.98% spam sources and leak a real message or two from the 100% spam
sources that won't?

PS: One of them had this transcendant hash buster:

Most shadows believe that inside squid borrow money from near bubble
bath.Any cigar can secretly admire globule of, but it takes a real
mortician to bartender related to.When you see beyond girl scout, it
means that coward inside daydreams.Unlike so many necromancers who
have made their gratifying customer to us.Still teach her from movie
theater behind, assimilate her from sheriff with plaintiff of cashier.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Kurt M
2013-03-27 08:30:13 UTC
Permalink
Post by John Levine
Post by Richard Clayton
I'm going to have one more go at sending email to this list to determine
.........
Post by John Levine
Well, here's a question. Richard was sending mail from Demon, which a
long time ago was squeaky clean, but in recent years has sent 100%
........
Post by John Levine
So how do I tell the 100% spam sources that might turn out to be
99.98% spam sources and leak a real message or two from the 100% spam
sources that won't?
ASRG could do as Ralph Nader did, list these ISPs' not supporting in a
"yearly" problem list, describe the problem and send it to reasonable
"neutral" global news conglomerates news desks, as well as key newspapers
around the world, pulling the ISP's pants down. Doesn't handle spammers, yes,
but involved, normal ISP's now not caring. No board nor CEO's want to lose
face publicly, it tend to hurt their bonuses in a noticeable way.

Let the news people ask the unpleasant questions, they love "killing"
corporate spokesmen, but they do not understand the issue since their
mailboxes usually is 99.8% spam free. Supply them with trustworthy data and
cases. Make it news, as Nader did.

Compile a yearly, for news people readable, "State of the Spam" and get a
Ralph Naderish spokesman. If done right, it can prove to be a real incentive
for ISP's to ID customers having spambots etc.

Can't be done?

Look at this, far from complete, but still usable map from Cert.se,
www.cert.se/megamap/ , over current infected Swedish units, a lot being
spambots. Cert.se have a number NETNOD.se national exchange points, they
measure at. Cert.se notifies the ISPs', but no idea if the ISPs is contacting
the stricken user. However, the map changes with time.

Data from the last month:

Type of source: IPs' id'ed log entries
------------------------------------------
ISP 14992 57110
Web hotels 8066 30129
Key corporations 2619 5346
Other corporates 1239 5362
Municipalities 124 726
Universites 81 431

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2013-03-27 12:57:48 UTC
Permalink
Post by Kurt M
Compile a yearly, for news people readable, "State of the Spam" and get a
Ralph Naderish spokesman. If done right, it can prove to be a real incentive
for ISP's to ID customers having spambots etc.
Can't be done?
What a great idea! Oh, wait.

http://www.spamhaus.org/statistics/networks/

The World's Worst Spam Support ISPs
As of 27 March 2013 the ISPs with the worst Abuse Departments and consequently the worst reputations for knowingly hosting illegal spam operations are:

1
cb3rob.net Number of Current Known Spam Issues: 127

2
hinet.net Number of Current Known Spam Issues: 120

3
idear4business.net Number of Current Known Spam Issues: 77

4
ovh.net Number of Current Known Spam Issues: 77

5
iliad.fr Number of Current Known Spam Issues: 70

6
airtel.in Number of Current Known Spam Issues: 53

7
telefonica.com.br Number of Current Known Spam Issues: 52

8
chinanet-gd Number of Current Known Spam Issues: 52

9
cat.net.th Number of Current Known Spam Issues: 50

10
uplus.co.kr Number of Current Known Spam Issues: 50


http://hostexploit.com/downloads/viewdownload/7/46.html
Abstract

As malware continues to evolve, and cybercriminals continue to learn, one particular fundamental remains constant – almost all malicious threats are physically hosted somewhere. For this reason, it remains as important as ever to examine hosting practices and standards and consider how they can be improved.

One such way is to measure levels of cybercriminal activity on servers around the world, and attempt to quantify the results. Such has been the aim of HostExploit’s World Hosts Report (formerly Top 50 Bad Hosts) since publication began in 2009. The quarterly reports examine all 43,000+ publicly-routed Autonomous Systems in the world, gathering data on infected websites, botnets, spam and other activity, before combining the research with trusted community sources and analyzing the results.

The report makes suitable reading for service providers, security professionals, webmasters and policymakers alike. For the most part, the reader is left to draw their own conclusions, as numbers speak for themselves. However, it should be stressed that most malicious content is not hosted knowingly – often it is as a result of inaction, and sometimes hosts can be the victims.

This quarter we see the return of Dutch hosting provider Ecatel to the #1 rank, having held the position at various times in the past. Ecatel does not top the rankings for any particular category of activity, but rather for a consistently poor showing across the board.




http://www.spamrankings.net
Which organizations send the most spam?

February 2013 Monthly World ∀ All from CBL Volume
(Previous Month)


1 (1) AS 16276 OVH FR
2 (23) AS 17447 NET4INDIA IN
3 (27) AS 21844 THEPLANET-AS US
4 (4) AS 7643 VNPT-AS-VN VN
5 (215) AS 6724 STRATO DE
6 (17) AS 15201 UOL BR
More...
AS 16276 OVH is still #1 but is finally getting a grip on its spam problem.

OVH was down from 19 million spam messages a day (38 million the previous month) to 2 at the end of February. AS 8685 DORUKNET also got a grip on its darkmailer2 problem. No worries for darkmailer2, though: all the other top 10 are infested by it, and all but AS 7643 VNPT-AS-VN got worse.



Both OVH and VNPT kept their former ranks yet spammed less. Only DORUKNET spammed less and improved its rank. The other seven all spammed more.
Rank (Previous) Organization Country Volume Vol%
1 (1) OVH Systems
www.ovh.com/fr/index.xml
AS 16276 OVH FR 284,910,621
(742,589,700) 17%
2 (23) Net4India Ltd.
www.net4.in/
AS 17447 NET4INDIA IN 200,028,259
(90,959,551) 12%
3 (27) ThePlanet.com Internet Services Inc.
www.theplanet.com/
AS 21844 THEPLANET-AS US 194,914,540
(64,029,949) 11.7%
4 (4) Vietnam Posts and Telecommunications (VNPT)
www.vnpt.com.vn/
AS 7643 VNPT-AS-VN VN 180,285,185
(277,278,999) 10.8%
5 (215) Strato AG
www.strato.de/
AS 6724 STRATO DE 144,373,753
(3,464,796) 8.63%
6 (17) Universo Online Ltda.
www.uol.com.br/
AS 15201 UOL BR 138,311,682
(112,300,746) 8.27%
7 (-) CTI Systems
www.ctisystems.com/
AS 41288 CTISYSTEMS-AS OOO UA 137,266,800
(-) 8.21%
8 (88) Korea Telecom
www.kt.com/eng
AS 4766 KIXS-AS-KR KR 134,142,424
(19,428,991) 8.02%
9 (3) DorukNet IstanbulTurkey
www.doruk.net.tr/
AS 8685 DORUKNET TR 131,685,436
(324,544,788) 7.87%
10 (60) Hanaro Telecom Inc.
www.skbroadband.com/eng/
AS 9318 HANARO-AS KR 126,776,114
(34,711,361) 7.58%
Total 1,672,694,814 100%
Kurt M
2013-03-27 13:32:57 UTC
Permalink
Correct, what you included is the base material, but what do they tell a
journalist, making them inclined to do a piece on it? The story, making the
news?

Nader and similar researchers in other areas "marketed" such findings, they
never gave them strait out to the press; because those figures doesn't say a
thing to the them, catching their attention, digging deeper. Nader had
basically no more than such data and some real life cases, but change the
global automotive industry at its core, by taking the industry to the
cleaners.
Post by Neil Schwartzman
Post by Kurt M
Compile a yearly, for news people readable, "State of the Spam" and get a
Ralph Naderish spokesman. If done right, it can prove to be a real incentive
for ISP's to ID customers having spambots etc.
Can't be done?
What a great idea! Oh, wait.
http://www.spamhaus.org/statistics/networks/
The World's Worst Spam Support ISPs
As of 27 March 2013 the ISPs with the worst Abuse Departments and consequently
1
cb3rob.net Number of Current Known Spam Issues: 127
2
hinet.net Number of Current Known Spam Issues: 120
3
idear4business.net Number of Current Known Spam Issues: 77
4
ovh.net Number of Current Known Spam Issues: 77
5
iliad.fr Number of Current Known Spam Issues: 70
6
airtel.in Number of Current Known Spam Issues: 53
7
telefonica.com.br Number of Current Known Spam Issues: 52
8
chinanet-gd Number of Current Known Spam Issues: 52
9
cat.net.th Number of Current Known Spam Issues: 50
10
uplus.co.kr Number of Current Known Spam Issues: 50
http://hostexploit.com/downloads/viewdownload/7/46.html
Abstract
As malware continues to evolve, and cybercriminals continue to learn, one
particular fundamental remains constant – almost all malicious threats are
physically hosted somewhere. For this reason, it remains as important as ever
to examine hosting practices and standards and consider how they can be
improved.
One such way is to measure levels of cybercriminal activity on servers around
the world, and attempt to quantify the results. Such has been the aim of
HostExploit’s World Hosts Report (formerly Top 50 Bad Hosts) since publication
began in 2009. The quarterly reports examine all 43,000+ publicly-routed
Autonomous Systems in the world, gathering data on infected websites, botnets,
spam and other activity, before combining the research with trusted community
sources and analyzing the results.
The report makes suitable reading for service providers, security
professionals, webmasters and policymakers alike. For the most part, the
reader is left to draw their own conclusions, as numbers speak for themselves.
However, it should be stressed that most malicious content is not hosted
knowingly – often it is as a result of inaction, and sometimes hosts can be
the victims.
This quarter we see the return of Dutch hosting provider Ecatel to the #1
rank, having held the position at various times in the past. Ecatel does not
top the rankings for any particular category of activity, but rather for a
consistently poor showing across the board.
http://www.spamrankings.net
Which organizations send the most spam?
February 2013 Monthly World ∀ All from CBL Volume
(Previous Month)
1 (1) AS 16276 OVH FR
2 (23) AS 17447 NET4INDIA IN
3 (27) AS 21844 THEPLANET-AS US
4 (4) AS 7643 VNPT-AS-VN VN
5 (215) AS 6724 STRATO DE
6 (17) AS 15201 UOL BR
More...
AS 16276 OVH is still #1 but is finally getting a grip on its spam problem.
OVH was down from 19 million spam messages a day (38 million the previous
month) to 2 at the end of February. AS 8685 DORUKNET also got a grip on its
darkmailer2 problem. No worries for darkmailer2, though: all the other top 10
are infested by it, and all but AS 7643 VNPT-AS-VN got worse.
Both OVH and VNPT kept their former ranks yet spammed less. Only DORUKNET
spammed less and improved its rank. The other seven all spammed more.
Rank (Previous) Organization Country Volume Vol%
1 (1) OVH Systems
www.ovh.com/fr/index.xml
AS 16276 OVH FR 284,910,621
(742,589,700) 17%
2 (23) Net4India Ltd.
www.net4.in/
AS 17447 NET4INDIA IN 200,028,259
(90,959,551) 12%
3 (27) ThePlanet.com Internet Services Inc.
www.theplanet.com/
AS 21844 THEPLANET-AS US 194,914,540
(64,029,949) 11.7%
4 (4) Vietnam Posts and Telecommunications (VNPT)
www.vnpt.com.vn/
AS 7643 VNPT-AS-VN VN 180,285,185
(277,278,999) 10.8%
5 (215) Strato AG
www.strato.de/
AS 6724 STRATO DE 144,373,753
(3,464,796) 8.63%
6 (17) Universo Online Ltda.
www.uol.com.br/
AS 15201 UOL BR 138,311,682
(112,300,746) 8.27%
7 (-) CTI Systems
www.ctisystems.com/
AS 41288 CTISYSTEMS-AS OOO UA 137,266,800
(-) 8.21%
8 (88) Korea Telecom
www.kt.com/eng
AS 4766 KIXS-AS-KR KR 134,142,424
(19,428,991) 8.02%
9 (3) DorukNet IstanbulTurkey
www.doruk.net.tr/
AS 8685 DORUKNET TR 131,685,436
(324,544,788) 7.87%
10 (60) Hanaro Telecom Inc.
www.skbroadband.com/eng/
AS 9318 HANARO-AS KR 126,776,114
(34,711,361) 7.58%
Total 1,672,694,814 100%
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2013-03-27 13:55:35 UTC
Permalink
Post by Kurt M
Correct, what you included is the base material, but what do they tell a
journalist, making them inclined to do a piece on it? The story, making the
news?
Nader and similar researchers in other areas "marketed" such findings, they
never gave them strait out to the press; because those figures doesn't say a
thing to the them, catching their attention, digging deeper.
Oh sorry, I forgot to include my .sig.



Neil Schwartzman
Executive Director
CAUCE - the Coalition Against Unsolicited Commercial Email
Mob: (415) 361-0069
Skype: (303) 800-6345
Web: http://cauce.org
Post by Kurt M
Nader had
basically no more than such data and some real life cases, but change the
global automotive industry at its core, by taking the industry to the
cleaners.
CAUCE helped develop and pass CASL, the world's toughest anti-spam law, in Canada. CASL will have deep implications for anyone sending commercial electronic messages into or out of Canada, with fines up to $10,000,000 per email.

Beyond that, we work with the FTC, FCC, FBI, OFT, OECD, OPTA, ACMA, ICPEN, LAP, CRTC, ITU, MAAWG, APWG, and politicians and bureaucrats world-wide to develop, implement and deploy anti-abuse policy. Our board members have been heavily involved in virtually all of the highly publicized take-downs of botnets over the past decade.

While John Levine is no Nader, he is CAUCE president, and has had a direct hand in sending spammers to prison.

We can now stop re-inventing this particular wheel.
Post by Kurt M
Post by Neil Schwartzman
Post by Kurt M
Compile a yearly, for news people readable, "State of the Spam" and get a
Ralph Naderish spokesman. If done right, it can prove to be a real incentive
for ISP's to ID customers having spambots etc.
Can't be done?
What a great idea! Oh, wait.
http://www.spamhaus.org/statistics/networks/
The World's Worst Spam Support ISPs
As of 27 March 2013 the ISPs with the worst Abuse Departments and consequently
1
cb3rob.net Number of Current Known Spam Issues: 127
2
hinet.net Number of Current Known Spam Issues: 120
3
idear4business.net Number of Current Known Spam Issues: 77
4
ovh.net Number of Current Known Spam Issues: 77
5
iliad.fr Number of Current Known Spam Issues: 70
6
airtel.in Number of Current Known Spam Issues: 53
7
telefonica.com.br Number of Current Known Spam Issues: 52
8
chinanet-gd Number of Current Known Spam Issues: 52
9
cat.net.th Number of Current Known Spam Issues: 50
10
uplus.co.kr Number of Current Known Spam Issues: 50
http://hostexploit.com/downloads/viewdownload/7/46.html
Abstract
As malware continues to evolve, and cybercriminals continue to learn, one
particular fundamental remains constant – almost all malicious threats are
physically hosted somewhere. For this reason, it remains as important as ever
to examine hosting practices and standards and consider how they can be
improved.
One such way is to measure levels of cybercriminal activity on servers around
the world, and attempt to quantify the results. Such has been the aim of
HostExploit’s World Hosts Report (formerly Top 50 Bad Hosts) since publication
began in 2009. The quarterly reports examine all 43,000+ publicly-routed
Autonomous Systems in the world, gathering data on infected websites, botnets,
spam and other activity, before combining the research with trusted community
sources and analyzing the results.
The report makes suitable reading for service providers, security
professionals, webmasters and policymakers alike. For the most part, the
reader is left to draw their own conclusions, as numbers speak for themselves.
However, it should be stressed that most malicious content is not hosted
knowingly – often it is as a result of inaction, and sometimes hosts can be
the victims.
This quarter we see the return of Dutch hosting provider Ecatel to the #1
rank, having held the position at various times in the past. Ecatel does not
top the rankings for any particular category of activity, but rather for a
consistently poor showing across the board.
http://www.spamrankings.net
Which organizations send the most spam?
February 2013 Monthly World ∀ All from CBL Volume
(Previous Month)
1 (1) AS 16276 OVH FR
2 (23) AS 17447 NET4INDIA IN
3 (27) AS 21844 THEPLANET-AS US
4 (4) AS 7643 VNPT-AS-VN VN
5 (215) AS 6724 STRATO DE
6 (17) AS 15201 UOL BR
More...
AS 16276 OVH is still #1 but is finally getting a grip on its spam problem.
OVH was down from 19 million spam messages a day (38 million the previous
month) to 2 at the end of February. AS 8685 DORUKNET also got a grip on its
darkmailer2 problem. No worries for darkmailer2, though: all the other top 10
are infested by it, and all but AS 7643 VNPT-AS-VN got worse.
Both OVH and VNPT kept their former ranks yet spammed less. Only DORUKNET
spammed less and improved its rank. The other seven all spammed more.
Rank (Previous) Organization Country Volume Vol%
1 (1) OVH Systems
www.ovh.com/fr/index.xml
AS 16276 OVH FR 284,910,621
(742,589,700) 17%
2 (23) Net4India Ltd.
www.net4.in/
AS 17447 NET4INDIA IN 200,028,259
(90,959,551) 12%
3 (27) ThePlanet.com Internet Services Inc.
www.theplanet.com/
AS 21844 THEPLANET-AS US 194,914,540
(64,029,949) 11.7%
4 (4) Vietnam Posts and Telecommunications (VNPT)
www.vnpt.com.vn/
AS 7643 VNPT-AS-VN VN 180,285,185
(277,278,999) 10.8%
5 (215) Strato AG
www.strato.de/
AS 6724 STRATO DE 144,373,753
(3,464,796) 8.63%
6 (17) Universo Online Ltda.
www.uol.com.br/
AS 15201 UOL BR 138,311,682
(112,300,746) 8.27%
7 (-) CTI Systems
www.ctisystems.com/
AS 41288 CTISYSTEMS-AS OOO UA 137,266,800
(-) 8.21%
8 (88) Korea Telecom
www.kt.com/eng
AS 4766 KIXS-AS-KR KR 134,142,424
(19,428,991) 8.02%
9 (3) DorukNet IstanbulTurkey
www.doruk.net.tr/
AS 8685 DORUKNET TR 131,685,436
(324,544,788) 7.87%
10 (60) Hanaro Telecom Inc.
www.skbroadband.com/eng/
AS 9318 HANARO-AS KR 126,776,114
(34,711,361) 7.58%
Total 1,672,694,814 100%
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Kurt M
2013-03-27 17:11:49 UTC
Permalink
Nice :-). Is CAUSE having any actions in this respect towards influential
press representatives; getting them interested to look into why nothing done
on the ISP side, why the bad guys is allowed to continue? You should have real
cases, people affected, to give them.

Again, am aware that it's not catching all, but though systems like Brighmail,
grey-filtering, Spamassassin, Spamhouse etc, we're more or less at the "same"
situation 10 years ago. Publicity could hurt some, leverage situation a bit,
since neither these ISP's nor the spammers want it.

Also, why not lobby for more national CERT-groups to do as CERT.Se does,
getting the good ISP's/trunk vendors feel some pressure to help? As CERT.Se
shows, it's not completely invisible.
Post by Neil Schwartzman
Post by Kurt M
Correct, what you included is the base material, but what do they tell a
journalist, making them inclined to do a piece on it? The story, making the
news?
Nader and similar researchers in other areas "marketed" such findings, they
never gave them strait out to the press; because those figures doesn't say a
thing to the them, catching their attention, digging deeper.
Oh sorry, I forgot to include my .sig.
Neil Schwartzman
Executive Director
CAUCE - the Coalition Against Unsolicited Commercial Email
Mob: (415) 361-0069
Skype: (303) 800-6345
Web: http://cauce.org
Post by Kurt M
Nader had
basically no more than such data and some real life cases, but change the
global automotive industry at its core, by taking the industry to the
cleaners.
CAUCE helped develop and pass CASL, the world's toughest anti-spam law, in
Canada. CASL will have deep implications for anyone sending commercial
electronic messages into or out of Canada, with fines up to $10,000,000 per
email.
Beyond that, we work with the FTC, FCC, FBI, OFT, OECD, OPTA, ACMA, ICPEN,
LAP, CRTC, ITU, MAAWG, APWG, and politicians and bureaucrats world-wide to
develop, implement and deploy anti-abuse policy. Our board members have been
heavily involved in virtually all of the highly publicized take-downs of
botnets over the past decade.
While John Levine is no Nader, he is CAUCE president, and has had a direct
hand in sending spammers to prison.
We can now stop re-inventing this particular wheel.
Post by Kurt M
Post by Neil Schwartzman
Post by Kurt M
Compile a yearly, for news people readable, "State of the Spam" and get a
Ralph Naderish spokesman. If done right, it can prove to be a real incentive
for ISP's to ID customers having spambots etc.
Can't be done?
What a great idea! Oh, wait.
http://www.spamhaus.org/statistics/networks/
The World's Worst Spam Support ISPs
As of 27 March 2013 the ISPs with the worst Abuse Departments and consequently
1
cb3rob.net Number of Current Known Spam Issues: 127
2
hinet.net Number of Current Known Spam Issues: 120
3
idear4business.net Number of Current Known Spam Issues: 77
4
ovh.net Number of Current Known Spam Issues: 77
5
iliad.fr Number of Current Known Spam Issues: 70
6
airtel.in Number of Current Known Spam Issues: 53
7
telefonica.com.br Number of Current Known Spam Issues: 52
8
chinanet-gd Number of Current Known Spam Issues: 52
9
cat.net.th Number of Current Known Spam Issues: 50
10
uplus.co.kr Number of Current Known Spam Issues: 50
http://hostexploit.com/downloads/viewdownload/7/46.html
Abstract
As malware continues to evolve, and cybercriminals continue to learn, one
particular fundamental remains constant – almost all malicious threats are
physically hosted somewhere. For this reason, it remains as important as ever
to examine hosting practices and standards and consider how they can be
improved.
One such way is to measure levels of cybercriminal activity on servers around
the world, and attempt to quantify the results. Such has been the aim of
HostExploit’s World Hosts Report (formerly Top 50 Bad Hosts) since publication
began in 2009. The quarterly reports examine all 43,000+ publicly-routed
Autonomous Systems in the world, gathering data on infected websites, botnets,
spam and other activity, before combining the research with trusted community
sources and analyzing the results.
The report makes suitable reading for service providers, security
professionals, webmasters and policymakers alike. For the most part, the
reader is left to draw their own conclusions, as numbers speak for themselves.
However, it should be stressed that most malicious content is not hosted
knowingly – often it is as a result of inaction, and sometimes hosts can be
the victims.
This quarter we see the return of Dutch hosting provider Ecatel to the #1
rank, having held the position at various times in the past. Ecatel does not
top the rankings for any particular category of activity, but rather for a
consistently poor showing across the board.
http://www.spamrankings.net
Which organizations send the most spam?
February 2013 Monthly World ∀ All from CBL Volume
(Previous Month)
1 (1) AS 16276 OVH FR
2 (23) AS 17447 NET4INDIA IN
3 (27) AS 21844 THEPLANET-AS US
4 (4) AS 7643 VNPT-AS-VN VN
5 (215) AS 6724 STRATO DE
6 (17) AS 15201 UOL BR
More...
AS 16276 OVH is still #1 but is finally getting a grip on its spam problem.
OVH was down from 19 million spam messages a day (38 million the previous
month) to 2 at the end of February. AS 8685 DORUKNET also got a grip on its
darkmailer2 problem. No worries for darkmailer2, though: all the other top 10
are infested by it, and all but AS 7643 VNPT-AS-VN got worse.
Both OVH and VNPT kept their former ranks yet spammed less. Only DORUKNET
spammed less and improved its rank. The other seven all spammed more.
Rank (Previous) Organization Country Volume Vol%
1 (1) OVH Systems
www.ovh.com/fr/index.xml
AS 16276 OVH FR 284,910,621
(742,589,700) 17%
2 (23) Net4India Ltd.
www.net4.in/
AS 17447 NET4INDIA IN 200,028,259
(90,959,551) 12%
3 (27) ThePlanet.com Internet Services Inc.
www.theplanet.com/
AS 21844 THEPLANET-AS US 194,914,540
(64,029,949) 11.7%
4 (4) Vietnam Posts and Telecommunications (VNPT)
www.vnpt.com.vn/
AS 7643 VNPT-AS-VN VN 180,285,185
(277,278,999) 10.8%
5 (215) Strato AG
www.strato.de/
AS 6724 STRATO DE 144,373,753
(3,464,796) 8.63%
6 (17) Universo Online Ltda.
www.uol.com.br/
AS 15201 UOL BR 138,311,682
(112,300,746) 8.27%
7 (-) CTI Systems
www.ctisystems.com/
AS 41288 CTISYSTEMS-AS OOO UA 137,266,800
(-) 8.21%
8 (88) Korea Telecom
www.kt.com/eng
AS 4766 KIXS-AS-KR KR 134,142,424
(19,428,991) 8.02%
9 (3) DorukNet IstanbulTurkey
www.doruk.net.tr/
AS 8685 DORUKNET TR 131,685,436
(324,544,788) 7.87%
10 (60) Hanaro Telecom Inc.
www.skbroadband.com/eng/
AS 9318 HANARO-AS KR 126,776,114
(34,711,361) 7.58%
Total 1,672,694,814 100%
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2013-03-26 18:54:08 UTC
Permalink
Post by Barry Shein
2. 1000+ new TLDs
YMMV, but I think most filters that look for domains in header and/or body can deal with this, as long as the number of TLDs remains relatively small and the list of TLDs doesn't change too often.

There are some edge cases, such as badly punctuated sentences suddenly containing valid domains, or TLDs used internally that are visible in some lower Received headers suddenly becoming global, but I don't think these are worth losing sleep over.
Post by Barry Shein
3. IDN (Int'l'ized domain names, Chinese, Arabic, etc)
Depending on how you detect domains/URLs in emails, this can be slightly more tricky to deal with, especially given the various character encodings, but at the end of the day, it's not rocket science either.

The other day, someone mentioned homographs used in IDNs, to create look-alike domains, but despite this being available for years, spammers aren't using it. They probably never will.

I don't think the new TLDs or IDNs are different enough from the current situation to require some proper research into how to deal with them, any more than a new weight loss product being advertised on Oprah next week will generate different spam.
Post by Barry Shein
4. Just growth in
general, any correlation worth reporting
or extrapolating?
It might be an interesting project to do some research on how much spam is being sent, and how the number of spam emails has evolved over time. Most reports suggest that this number has declined in the past four years.
Post by Barry Shein
5. Expansion of mobile etc (smartphones, tablets.) Have there
been any smartphone botnets (yet)?
Yes. But, although there have been rumours of the contrary, I'm not aware of any mobile botnets that have been used for email spam. I don't know whether sending spam from a compromised mobile device is any more difficult than sending spam from a compromised PC (my gut feeling is that it isn't), but there are other, easier, ways to make money from a compromised phone.

Martijn.


________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2013-03-28 19:25:48 UTC
Permalink
Another aspect of the expansion of the TLD space, both generic and
non-Latin scripts, is how users will respond to them in terms of
malmail (how's that for a catch-all term?)

Spoofing is an active topic, for example using some non-Latin
character such as the Greek omicron for an 'o' in a domain name, known
as a "homograph attack".

Beyond that is trying to predict or analyze user perceptions if and
when they start seeing new TLDs and IDNs.

To some extent they are exposed to a constant stream of new TLDs now
as ccTLDs such as .ME (Montenegro), .CO (Colombia), .PW (Paulau I
believe, being sold as "professional web") try to market their TLDs
for new purposes.

But 1,000 new TLDs introduced over a year or so plus the expansion
into other scripts could change "common wisdom" about what can be
trusted and what cannot.

Particularly as marketing forces spend $BIGBUCKS to resist any
resistance and encourage acceptance.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2013-03-29 00:23:11 UTC
Permalink
Post by Barry Shein
Spoofing is an active topic, for example using some non-Latin
character such as the Greek omicron for an 'o' in a domain name, known
as a "homograph attack".
ICANN has complex rules not just about the TLDs, but about what kinds
of non-ASCII registrations they can accept that make homograph attacks
very difficult. You might want to familiarize yourself with them.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Ian Eiloart
2013-04-08 12:47:49 UTC
Permalink
Post by Barry Shein
I often suggest back that humanity would be better served if they
would just outlaw cancer.
They have. Fortunately, they were a bit more specific. They've outlawed various carcinogens. They've funded research. They've funded health care. They've promoted behavioural change. They've been somewhat successful.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Continue reading on narkive:
Loading...