Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Quake cuts off much of Asia Internet

From: David Farber <dave () farber net>
Date: Fri, 29 Dec 2006 08:03:14 -0500


Begin forwarded message:

From: Suresh Ramasubramanian <suresh () hserus net>
Date: December 28, 2006 7:51:33 PM EST
To: Brett Glass <brett () lariat net>
Cc: dave () farber net
Subject: Re: [IP] Quake cuts off much of Asia Internet

Brett Glass [28/12/06 10:10 -0700]:
Hong Kong's spam-consciousness has improved significantly over the past six months (perhaps due to publicity; Spamhaus had rated it the number one source of spam worldwide). But it's still relatively high on the list, and
Nope - china's ever had hong kong beat .. I dont recall any single time - 
not in the last few years at least (e&oe sudden spikes) where hkg topped
china in this matter [at least sbl listings wise], sure I could be wrong
it is one of the countries from which we've seen spam traffic drop the most since the outage. We've also seen a big drop in spam from Taiwan and Korea.
you'd have seen almost all traffic drop from China, Taiwan and Hong Kong, north asia (Japan, and to a lesser extent Korea) seem to have been rather less affected. Right now - regional connectivity seems largely in place - 
but lots of routes missing from there, wrt int'l connectivity.

Korea's not been "on my radar" as heavily as the US / China - and it is
quite close to quite a few other countries of a comparable size [poland,
turkey etc] that have large metro broadband networks and comparatively
poorer security on user PCs.
While our ISP is small compared to, say, AOL, it is far bigger than "friends and family on an ISP line." Even though we compete with the phone company, 

Brett - I know you. And I loved those sendmail rulesets you wrote. And I
know what lariat.net is. That was [1] meant to sting a bit and [2] to put 
your mail traffic in perspective .. a small local ISP, or even a large
local ISP is not very likely to see the kind of international mail traffic 
hotmail, AOL or yahoo [or even a nationwide service like Earthlink] is
going to see. Your entire view of the email world is going to be different - and colored by who your users regularly exchange email with .. which in a 
one horse burg like Lararmie is likely to be almost entirely local, or
within ConUS / Canada.
What's more, since we get hundreds of thousands of spam attempts daily, we have plenty of data from which to generate statistics. It's important
Yes - but you need a diverse enough sample of users for that data to bear any reasonable relationship with global email trends. Small town america 
is just not likely to provide that kind of sample.

Several hundred thousand spam attempts .. well, we get that in a minute.
This is something I had my colleagues knock together a few months ago, back when we were being hit with an extra large amount of bot generated virus / 
spam traffic [one of those periodic spikes]:

http://www.hserus.net/old/images/minute.png
That's 1030591 smtp connections rejected v/s 90341 messages accepted across 
our servers, in one minute. Again, not a "my mail farm is bigger than
yours" thing - just trying to put things in a bit of perspective.


for the current list) than any other country. However, we see more
attempted spams from Asia, Poland, Mexico, Brazil, and Argentina
than we do from all US sources combined. We also see a difference
Poland - a large broadband provider or two. Mexico and Brazil - broadband again [and yeah, crackers / skript kiddies too]. There's turkey as well .. 
quite a few of these are at or near the top of our radar at times.
This presentation has some nicer stats from what we saw a few months ago: <http://www.itu.int/osg/spu/cybersecurity/2006/presentations/ ramasubramanian-16-may-2006.pdf> 

Summary - we see individual chinese and korean ISPs contributing
significant percentages of spam (ditto ISPs like Telefonica spain / Peru, 
TPNet poland, Verizon etc). But when it comes to spam percentages per
country - US : 25.85%, China 17.68%, Korea way lower down at 6.73% while
russia, poland, france, spain, germany, brazil and peru are all in the 2.4 
to 3.8% range ...


in the types of machines that are sending the spam. Most US sources
are "zombies" -- machines attached to DSL, FIOS, or cable modem


Most of the chinese and korean smtp connections are zombies too. There's
broadband out there that most US customers would sell their grandmothers
for - available at far cheaper prices. Unfortunately, you can also buy a
knockoff copy of XP for about the cost of a coffee at Starbucks. And so no 
surprise most new PCs come with trojans preinstalled ..
that we've blocked them. Far more of the offshore sources seem to be machines that have been set up specifically to spam. They are
I see those too - and the SBL has most of the chinese spammer hosting space quite well covered, but there's more elsewhere too. And spam volumes from 
bots has been driving mail traffic way, way up compared to the good old
days when all spammers did was to buy collocated servers and spam through them .. [yup they still do that too, and install massmailer bots on cheap webhosting servers, spam through those, or abuse insecure cgi/php scripts] 

But far more of the sources seem to be actual spammer operated machines
seems a bit strange, and I dont think my data can support that very much

Sure - some of your users could have ended up on a few local spammers'
lists (and a lot of the local spammers in that region are still following that time honored old spammer practice of spamming direct from their home ADSL lines, though port 25 blocking is catching on a lot in hkg / japan and other countries). But really - that volume is detectable, trivial to damp 
them down .. and certainly not as much as the botnet generated spam from
infected PCs that you get from those ranges.
Most of the "static" spam source issues in China are not direct spam sends 
- that's all moved to hosting websites, DNS etc for spam operations.

        srs
ps: If you want to familiarize yourself with the spam issues out there, try 
these presentations, they might help:
http://wiki.apcauce.org/index.php/APCAUCE_2006



-------------------------------------------
<HR>
You are subscribed as lists-ip () insecure org<BR>To manage your subscription, go to<BR>  <A 
HREF="http://v2.listbox.com/member/?listname=ip";>http://v2.listbox.com/member/?listname=ip</A><P>Archives at: <A 
HREF="http://www.interesting-people.org/archives/intere
Archives: [LIST_ARCHIVES_URL]
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1788750&user_secret=2262158c
Unsubscribe: http://v2.listbox.com/unsubscribe/?id=1788750-2262158c-5a0lg7sn
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: