2005-07-26
What ASNs are most actively spamming us
In this context, 'ASN' stands for 'Autonomous System Number'; broadly speaking, this tells us who is responsible for a particular IP address (or, technically speaking, who is ultimately responsible for getting IP packets to it).
There's a number of who other ways to tell who owns an IP address (querying whois.arin.net and then other registrars, for example), but there are two attractions of ASNs for this purpose:
- there are comprehensive IP to ASN databases that are easily queried by relatively simple programs. All of the other IP ownership lookup things are much harder to use.
- since an IP address's ASN determines how packets get to it, it's necessary to get it right. By contrast, nothing usually breaks if a registry's IP ownership information is out of date or outright wrong.
Chris's Nth law of information sources is 'if it doesn't have to be accurate for things to keep working, sooner or later it won't be'. (There is a well-known application of this to comments in source code.)
Instead of trying to run the numbers by frequency of attempted connection, I've looked here at how many different IP addresses from each ASN have been rejected at connection time by us over the past 28 and some change days. This is a good indication of how widespread of a problem a particular ASN is to us.
| # of different IPs | ASN | (owner) |
| 2831 | AS4766 | Korea Telecom |
| 1580 | AS9318 | Hanaro Telecom (Korea) |
| 1323 | AS4837 | CNCGROUP China169 Backbone |
| 951 | AS6478 | AT&T WorldNet Services |
| 777 | AS4134 | CHINANET-BACKBONE |
| 775 | AS19262 | Verizon Internet Services |
| 706 | AS33287 | Comcast Cable Communications, Inc. |
| 650 | AS22909 | Comcast Cable Communications, Inc. |
| 595 | AS6830 | UPC Distribution Services (Europe) |
| 512 | AS7738 | Telecomunicacoes da Bahia S.A. (Brazil) |
| 512 | AS7018 | AT&T WorldNet Services |
| 499 | AS9277 | THRUNET (Korea) |
| 488 | AS17676 | Softbank BB Corp. (Japan) |
| 481 | AS3786 | DACOM Corporation (Korea) |
| 480 | AS20115 | Charter Communications |
| 479 | AS22047 | VTR BANDA ANCHA S.A. (Chile) |
| 474 | AS12322 | Proxad ISP (France) |
| 428 | AS5617 | TPNET Polish Telecom |
| 415 | AS10318 | CABLEVISION S.A. (Argentina) |
| 411 | AS9304 | Hutchison Global Communications (Hong Kong) |
Some organizations have multiple ASNs for various reasons, as you can see with Comcast and AT&T Worldnet.
Korea is our largest problem source, followed rapidly by China. UPC is the 'chello.*' people, eg chello.nl, chello.at, and so on, who are a Europe-wide plague of zombies.
Part of this is entirely predictable; because we expect little legitimate email from the Far East (and to a lesser extent Europe), I am far more willing to be aggressive when blocking those areas, and it is not surprising that they score high in the list. (Significant swatches of China don't even get as far as connect-time rejection, as they're blocked by kernel IP filters.)
I suppose the most solid conclusion I can take away from this is that our problems come from all over. Just in the top-20 list alone we've hit most of the world's general areas with decent network infrastructure.