[79319] in North American Network Operators' Group
Re: botted hosts
daemon@ATHENA.MIT.EDU (Dave Rand)
Sun Apr 3 13:22:53 2005
From: dlr@bungi.com (Dave Rand)
Date: Sun, 3 Apr 2005 10:22:27 -0700
In-Reply-To: Petri Helenius's message on Apr 3, 19:13.
To: Petri Helenius <pete@he.iki.fi>, Nanog <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
[In the message entitled "botted hosts" on Apr 3, 19:13, Petri Helenius writes:]
>
> I run some summaries about spam-sources by country, AS and containing
> BGP route.
> These are from a smallish set of servers whole March aggregated.
> Percentage indicates incidents out of total.
> Conclusion is that blocking 25 inbound from a handful of prefixes would
> stop >10% of spam.
>
This would be correct. In the bigger perspective, blocking port 25 on all
ISP's consumer circuits would currently stop over 99% of the spam. Yes,
spammers would adjust to this over time. It is still a great idea to block
port 25 by default, and unblock it on customer request.
The problem has always been that ISPs do not see any tangible benefit to
stopping spam *leaving* their networks. Even the largest networks, some who
complain that "if only other networks would stop their spam", have serious,
and long term spam leaving their networks.
>From my (limited) view of the world, involving only about 200 Million spams
that I logged last month (down from 230M in February), here's what I see:
Logged Spam by country:
Percent Country
24.64 REPUBLIC OF KOREA
21.96 UNITED STATES
15.45 CHINA
4.21 CANADA
4.02 FRANCE
3.38 SPAIN
3.33 JAPAN
2.03 BRAZIL
1.52 UNITED KINGDOM
1.48 ITALY
The Kelkea (what used to be MAPS) DUL, with more than 150 million entries in
it stopped about 41% of the spam last month. The QIL, a new product, stopped
about 55%, with the remainder being stopped by the RBL, OPS and RSS. A view
of this from a different perspective (an unrelated ISP) is available at
http://status.hiwaay.net/spam.html
That means that if just the ISPs that we have identified as having
"dynamically assigned" addresses were to install port 25 blocking, more than
1/3 of the spam would vanish.
Compromised computers are a large problem today. Before that, it was open
proxies. Before that it was open relays. Before that it was stolen ISP
accounts...
>From the ISP perspective, here's what I see:
Percent ASN Name
10.80 4766 KIXS-AS-KR Korea Telecom
6.24 4134 CHINANET-BACKBONE No.31,Jin-rong Street
4.08 9318 HANARO-AS HANARO Telecom
3.62 4812 CHINANET-SH-AP China Telecom (Group)
2.00 5690 VIANET-NO - Via Computer and Communications (ViaNet)
1.99 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone
1.97 7132 SBIS-AS - SBC Internet Services
1.73 6478 ATT-INTERNET3 - AT&T WorldNet Services
1.63 9277 THRUNET-AS-KR THRUNET
1.38 12322 PROXAD AS for Proxad ISP
In summary, yes, blocking port 25 from a handful of prefixes would in fact
block more than 10% of the spam now being received. The bigger issue is
getting the ISPs to see that they in fact have a problem, and they need to
work on it.
As always, I have details available for any time period, for any ISP that
cares. I can extract details by address range, ASN, or pretty much anything
else you want.
--
