By John S. Quarterman, Markus Sammallahti, Huaxia Rui, and Andrew B. Whinston, July 2009.
On Tuesday 2 June 2009, the U.S. Federal Trade Commission (FTC) took legal steps that shut down the web hosting provider Triple Fiber network (3FN.net). What effects did that have on spam sent from specific Autonomous Systems (ASes), as observed by changes in listings in anti-spam blocklists?
3FN's own ASN, AS13768 PEER1, was not highly listed on blocklists, because 3FN was not a sender of spam, it was allegedly used to control botnets that sent spam from elsewhere. Marshal8e6 has say they saw 3FN controling botnets, in particular PUSHDO. While they saw only about a 15% drop in overall spam for that week, they saw a much more pronounced drop in spam from PUSHDO for that week. Marshal8e6 does not examine spam per ASN in detail, but our project does.
Our IIAR Project (NSF Award #0831338 CT-ISG: Collaborative Research: Incentives, Insurance and Audited Reputation: An Economic Approach to Controlling Spam) records in a database daily data from half a dozen anti-spam blocklists. We did a database search for ASNs that had a precipitous drop (more than 50%) in blocklist listings starting on or shortly after 2 June 2009. One blocklist, CBL, showed several such ASNs.
Graph of all the ASNs from the CBL results
Apparently there was some data collection glitch on 30 May 2009, but ignoring that day there's a clear pattern of increased or stable listings until 1 June, and then big decreases. The biggest drops come on 1 and 5 June.
Graph all except the biggest diff ASN from the CBL results
Without the ASN with the biggest diff (15149, ezzi.net, a hosting service), the pattern is even clearer. It's also clear that all these ASNs only had very few hosts listed to start with. Volume information could be quite useful here.
Conclusions and Further Work
It is perhaps significant that it was CBL that showed these results, since CBL is the blocklist that appears to concentrate most on tracking botnets. Unfortunately, even this relatively marked apparent effect of a hosting ISP shutdown was only short-lived. Botherders simply moved elsewhere, and spammers resumed spamming, using bots controlled from elsewhere, and often on different hosts. Real progress in fighting spam and bots will require more than the occasional intervention by the FTC.Since that early June event, we have started receiving volume data from CBL, so for further events of this type we should be able to show even more precision in results.
Lists of ASN Results
All Results
Showing the results of this trend sorted by R:TREND: D1(yyyy-mm-dd) D2(yyyy-mm-dd) R [ R = (hD2 - hD1) / hD1 ]
| ASN | Blocklist | H1 | H2 | R |
|---|---|---|---|---|
| 15149 | cbl | 19 | 1 | -18 |
| 14166 | ubl | 14 | 1 | -13 |
| 21949 | cbl | 8 | 1 | -7 |
| 14159 | cbl | 6 | 1 | -5 |
| 26146 | cbl | 6 | 1 | -5 |
| 12175 | ubl | 5 | 1 | -4 |
| 13673 | ubl | 15 | 3 | -4 |
| 13787 | psbl | 5 | 1 | -4 |
| 17143 | cbl | 5 | 1 | -4 |
| 11563 | psbl | 4 | 1 | -3 |
| 12175 | psbl | 4 | 1 | -3 |
| 12231 | ubl | 4 | 1 | -3 |
| 14559 | cbl | 4 | 1 | -3 |
| 16527 | cbl | 4 | 1 | -3 |
| 16717 | cbl | 4 | 1 | -3 |
| 19176 | cbl | 4 | 1 | -3 |
| 210 | cbl | 4 | 1 | -3 |
| 30174 | ubl | 4 | 1 | -3 |
| 32233 | cbl | 4 | 1 | -3 |
| 40311 | ubl | 4 | 1 | -3 |
| 46757 | ubl | 12 | 3 | -3 |
| 25636 | cbl | 11 | 3 | -2.7 |
| 26769 | cbl | 11 | 3 | -2.7 |
| 12270 | ubl | 7 | 2 | -2.5 |
| 30064 | ubl | 7 | 2 | -2.5 |
| 12262 | ubl | 24 | 7 | -2.4 |
| 3112 | cbl | 13 | 4 | -2.3 |
| 36752 | ubl | 10 | 3 | -2.3 |
Just the CBL results
| ASN | Blocklist | H1 | H2 | R |
|---|---|---|---|---|
| 15149 | cbl | 19 | 1 | -18 |
| 21949 | cbl | 8 | 1 | -7 |
| 14159 | cbl | 6 | 1 | -5 |
| 26146 | cbl | 6 | 1 | -5 |
| 17143 | cbl | 5 | 1 | -4 |
| 14559 | cbl | 4 | 1 | -3 |
| 16527 | cbl | 4 | 1 | -3 |
| 16717 | cbl | 4 | 1 | -3 |
| 19176 | cbl | 4 | 1 | -3 |
| 210 | cbl | 4 | 1 | -3 |
| 32233 | cbl | 4 | 1 | -3 |
| 25636 | cbl | 11 | 3 | -2.7 |
| 26769 | cbl | 11 | 3 | -2.7 |
| 3112 | cbl | 13 | 4 | -2.3 |
Acknowledgement:
This material is based upon work supported by the National Science Foundation under Grant No. 0831338. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
| Next > |
|---|
