Jump to content

Hall of Shame


AlphaCentauri

Recommended Posts

I like the Hall of Shame page. I would like to see some additional statistics (which I hope would encourage certain cable companies who recently got into broadband to feel challenged to get their spammers under control).

I notice that when you look up some IP numbers in the blacklist -- like Comcast -- you see spam coming from the same source on and off for over a month, and numerous other chronic spam sources in the "neighborhood." Other times you look up a number and it may be listed, but for less than a week, and all the other sources in its neighborhood are also only operating for a brief period. Sometimes you even report a spam within a couple hours of receiving it and see a note when you go to confirm it that the ISP has already taken action against the spammer.

Which ISP's are most responsive at shutting down spammers? Is there a way of rating the best and worst to encourage a little competition among them? That would seem more valid than how many spams come from one ISP, since the larger and faster growing ISP's will naturally be picking up more new spammers. You can't blame them for that as long as they shut them down as fast as possible once reported.

Link to comment
Share on other sites

Responsiveness to complaints is better than bureaucratic indifference, but it is far from the whole story. This is not an issue of an occasional spammer slipping in. There is a constant stream of this crap spewing out of their networks. Reliance on unpaid, beleagured volunteers to notify them when yet another spammer is using their network is not enough. The ISPs, including the big ones treating this as a mass commodity market not requiring their attention to individual accounts, are doing this for profit. The big cable operators' inattention to their accounts allows them to undercut prices of smaller ISPs who pay attention to the quality of what they are doing. ISPs are going to have to take the responsibility for who they let onto their own networks, both for spam origination and spam web site hosting.

Link to comment
Share on other sites

The Hall of Shame makes interesting reading - but it only accounts for 3.575% of the total reported volume. This might go up if all addresses from the top 40 domains were added in (ie including their addresses not in the top 200), but I suspect (without real evidence) the increase might be slight. I think the page just implies the sheer scale of the spam abuse problem (the ++ thousands that constitute the other 96%).

[That was during Sat Apr 17. Similar results Apr 18 - 3.775% of total volume with 39 domains in the top 200 targets]

Link to comment
Share on other sites

Responsiveness to complaints is better than bureaucratic indifference, but it is far from the whole story. This is not an issue of an occasional spammer slipping in.  There is a constant stream of this crap spewing out of their networks.  ...

Yes, I agree, but when 90% of their users are new because the ISP itself is new, there are going to be a few slipping in. I know no one asked for a background check on me on any internet access I ever signed up for.

But the other extreme are ISP's which seem legitimate because of their other businesses, but which allow spammers prolonged access. For example:

24.5.248.156 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported about 4020 times by about 150 users. It has been sending mail consistently for at least 79.9 days. In the past 79.7 days, it has been listed 10 times for a total of 50.3 days

* In the past week, this system has: Been reported as a source of spam less than 10 times

* Been detected sending mail to spam traps

* Been witnessed sending mail about 1110 times

* Other hosts in this "neighborhood" with spam reports: 24.5.247.157

* 24.5.247.189

* 24.5.247.200

* 24.5.248.33

This source has been spewing spam for 80 days, and Comcast still hasn't shut it down. And they want to buy out the control freaks at Disney?

Link to comment
Share on other sites

  • 3 weeks later...

The big mover (strong growth trend in relative terms) in the Hall of Shame "domains" list is "lacking DNS". I'm utterly lacking in knowledge of the technology - what are these "non-domain" servers and what implications are there for SpamCop exercising any sort of influence over their activities? The context is that the absolute numbers of reported spam are reducing significantly (in the timeframe from 17 April) but the proportion of "top 200" within the total spam is increasing.

The data given in the Hall of Shame are well smoothed (each daily report contains data from 6 of the 7 days covered in the previous day's report) so trend analysis is hardly necessary. Anything which nevertheless shows as a significant trend treating the daily figures as discrete data is well assured of actually being significant. "lacking DNS" is showing a very pronounced and significant trend.

The time base is small as yet and, smoothed or not, the figures show a fair amount of volatility from one day to the next but for all that, the usual suspects are all hanging in there, whether or not they show a growth trend - Comcast.net, Optonline.net, Mindspring.com, Attbi.com, Shawcable.net, Charter.com, rr.com, Ameritech.net, Pacbell.net, etc. Domains go and come but these ones abide. Along with "lacking DNS".

Link to comment
Share on other sites

  • 1 month later...
The big mover (strong growth trend in relative terms) in the Hall of Shame "domains" list is "lacking DNS"
I would like to suggest that the "lacking DNS" block may be split up using the smart whois technology as used by whois.geektool.com or http://wp-whois-proxy.sourceforge.net/

As an example:

IP=211.34.96.11 is at the time of writing listed as the #3 most spamming IP and lacking DNS. A lookup using geektools.com shows:

Final results obtained from whois.apnic.net.

Results:

% [whois.apnic.net node-2]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 211.33.0.0 - 211.36.223.255

netname: KRNIC-KR

descr: KRNIC

descr: Korea Network Information Center

One could e.g. put ".kr" in the domain collum of the "Hall of shame" statistics.

I'm aware that some IP's just end up dead like #4 on the list: 207.234.146.62 which points to (again according to geektools.com)

OrgName: CyberGate, Inc.

OrgID: CYBG

Address: 3250 W. Commercial Blvd. Suite 200

City: Ft. Lauderdale

StateProv: FL

PostalCode: 33309

Country: US

NetRange: 207.234.128.0 - 207.234.255.255

CIDR: 207.234.128.0/17

NetName: RUNNER-GATE

NetHandle: NET-207-234-128-0-1

Parent: NET-207-0-0-0-0

NetType: Direct Allocation

NameServer: NS.VALUEWEB.NET

NameServer: NS2.VALUEWEB.NET

Just my 0.01€

Niels Kristian Jensen

Denmark

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...