Begin forwarded message:
From: Suresh Ramasubramanian <[EMAIL PROTECTED]>
Date: December 28, 2006 7:51:33 PM EST
To: Brett Glass <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [IP] Quake cuts off much of Asia Internet
Brett Glass [28/12/06 10:10 -0700]:
Hong Kong's spam-consciousness has improved significantly over the
past
six months (perhaps due to publicity; Spamhaus had rated it the
number one source of spam worldwide). But it's still relatively
high on the list, and
Nope - china's ever had hong kong beat .. I dont recall any single
time -
not in the last few years at least (e&oe sudden spikes) where hkg topped
china in this matter [at least sbl listings wise], sure I could be wrong
it is one of the countries from which we've seen spam traffic drop
the most
since the outage. We've also seen a big drop in spam from Taiwan
and Korea.
you'd have seen almost all traffic drop from China, Taiwan and Hong
Kong,
north asia (Japan, and to a lesser extent Korea) seem to have been
rather
less affected. Right now - regional connectivity seems largely in
place -
but lots of routes missing from there, wrt int'l connectivity.
Korea's not been "on my radar" as heavily as the US / China - and it is
quite close to quite a few other countries of a comparable size [poland,
turkey etc] that have large metro broadband networks and comparatively
poorer security on user PCs.
While our ISP is small compared to, say, AOL, it is far bigger than
"friends and family on an ISP line." Even though we compete with
the phone company,
Brett - I know you. And I loved those sendmail rulesets you wrote. And I
know what lariat.net is. That was [1] meant to sting a bit and [2] to
put
your mail traffic in perspective .. a small local ISP, or even a large
local ISP is not very likely to see the kind of international mail
traffic
hotmail, AOL or yahoo [or even a nationwide service like Earthlink] is
going to see. Your entire view of the email world is going to be
different
- and colored by who your users regularly exchange email with ..
which in a
one horse burg like Lararmie is likely to be almost entirely local, or
within ConUS / Canada.
What's more, since we get hundreds of thousands of spam attempts
daily, we have plenty of data from which to generate statistics.
It's important
Yes - but you need a diverse enough sample of users for that data to
bear
any reasonable relationship with global email trends. Small town
america
is just not likely to provide that kind of sample.
Several hundred thousand spam attempts .. well, we get that in a minute.
This is something I had my colleagues knock together a few months
ago, back
when we were being hit with an extra large amount of bot generated
virus /
spam traffic [one of those periodic spikes]:
http://www.hserus.net/old/images/minute.png
That's 1030591 smtp connections rejected v/s 90341 messages accepted
across
our servers, in one minute. Again, not a "my mail farm is bigger than
yours" thing - just trying to put things in a bit of perspective.
for the current list) than any other country. However, we see more
attempted spams from Asia, Poland, Mexico, Brazil, and Argentina
than we do from all US sources combined. We also see a difference
Poland - a large broadband provider or two. Mexico and Brazil -
broadband
again [and yeah, crackers / skript kiddies too]. There's turkey as
well ..
quite a few of these are at or near the top of our radar at times.
This presentation has some nicer stats from what we saw a few months
ago:
<http://www.itu.int/osg/spu/cybersecurity/2006/presentations/
ramasubramanian-16-may-2006.pdf>
Summary - we see individual chinese and korean ISPs contributing
significant percentages of spam (ditto ISPs like Telefonica spain /
Peru,
TPNet poland, Verizon etc). But when it comes to spam percentages per
country - US : 25.85%, China 17.68%, Korea way lower down at 6.73% while
russia, poland, france, spain, germany, brazil and peru are all in
the 2.4
to 3.8% range ...
in the types of machines that are sending the spam. Most US sources
are "zombies" -- machines attached to DSL, FIOS, or cable modem
Most of the chinese and korean smtp connections are zombies too. There's
broadband out there that most US customers would sell their grandmothers
for - available at far cheaper prices. Unfortunately, you can also buy a
knockoff copy of XP for about the cost of a coffee at Starbucks. And
so no
surprise most new PCs come with trojans preinstalled ..
that we've blocked them. Far more of the offshore sources seem to
be machines that have been set up specifically to spam. They are
I see those too - and the SBL has most of the chinese spammer hosting
space
quite well covered, but there's more elsewhere too. And spam volumes
from
bots has been driving mail traffic way, way up compared to the good old
days when all spammers did was to buy collocated servers and spam
through
them .. [yup they still do that too, and install massmailer bots on
cheap
webhosting servers, spam through those, or abuse insecure cgi/php
scripts]
But far more of the sources seem to be actual spammer operated machines
seems a bit strange, and I dont think my data can support that very much
Sure - some of your users could have ended up on a few local spammers'
lists (and a lot of the local spammers in that region are still
following
that time honored old spammer practice of spamming direct from their
home
ADSL lines, though port 25 blocking is catching on a lot in hkg /
japan and
other countries). But really - that volume is detectable, trivial to
damp
them down .. and certainly not as much as the botnet generated spam from
infected PCs that you get from those ranges.
Most of the "static" spam source issues in China are not direct spam
sends
- that's all moved to hosting websites, DNS etc for spam operations.
srs
ps: If you want to familiarize yourself with the spam issues out
there, try
these presentations, they might help:
http://wiki.apcauce.org/index.php/APCAUCE_2006
-------------------------------------------
<HR>
You are subscribed as [email protected]<BR>To manage your subscription, go to<BR> <A
HREF="http://v2.listbox.com/member/?listname=ip";>http://v2.listbox.com/member/?listname=ip</A><P>Archives
at: <A HREF="http://www.interesting-people.org/archives/intere
Archives: [LIST_ARCHIVES_URL]
Modify Your Subscription:
http://v2.listbox.com/member/?member_id=783980&user_secret=3568562d
Unsubscribe: http://v2.listbox.com/unsubscribe/?id=783980-3568562d-ochr17f3
Powered by Listbox: http://www.listbox.com
