What ASNs are most actively spamming us

July 26, 2005

In this context, 'ASN' stands for 'Autonomous System Number'; broadly speaking, this tells us who is responsible for a particular IP address (or, technically speaking, who is ultimately responsible for getting IP packets to it).

There's a number of who other ways to tell who owns an IP address (querying whois.arin.net and then other registrars, for example), but there are two attractions of ASNs for this purpose:

  • there are comprehensive IP to ASN databases that are easily queried by relatively simple programs. All of the other IP ownership lookup things are much harder to use.
  • since an IP address's ASN determines how packets get to it, it's necessary to get it right. By contrast, nothing usually breaks if a registry's IP ownership information is out of date or outright wrong.

Chris's Nth law of information sources is 'if it doesn't have to be accurate for things to keep working, sooner or later it won't be'. (There is a well-known application of this to comments in source code.)

Instead of trying to run the numbers by frequency of attempted connection, I've looked here at how many different IP addresses from each ASN have been rejected at connection time by us over the past 28 and some change days. This is a good indication of how widespread of a problem a particular ASN is to us.

# of different IPs ASN (owner)
2831 AS4766 Korea Telecom
1580 AS9318 Hanaro Telecom (Korea)
1323 AS4837 CNCGROUP China169 Backbone
951 AS6478 AT&T WorldNet Services
775 AS19262 Verizon Internet Services
706 AS33287 Comcast Cable Communications, Inc.
650 AS22909 Comcast Cable Communications, Inc.
595 AS6830 UPC Distribution Services (Europe)
512 AS7738 Telecomunicacoes da Bahia S.A. (Brazil)
512 AS7018 AT&T WorldNet Services
499 AS9277 THRUNET (Korea)
488 AS17676 Softbank BB Corp. (Japan)
481 AS3786 DACOM Corporation (Korea)
480 AS20115 Charter Communications
479 AS22047 VTR BANDA ANCHA S.A. (Chile)
474 AS12322 Proxad ISP (France)
428 AS5617 TPNET Polish Telecom
415 AS10318 CABLEVISION S.A. (Argentina)
411 AS9304 Hutchison Global Communications (Hong Kong)

Some organizations have multiple ASNs for various reasons, as you can see with Comcast and AT&T Worldnet.

Korea is our largest problem source, followed rapidly by China. UPC is the 'chello.*' people, eg chello.nl, chello.at, and so on, who are a Europe-wide plague of zombies.

Part of this is entirely predictable; because we expect little legitimate email from the Far East (and to a lesser extent Europe), I am far more willing to be aggressive when blocking those areas, and it is not surprising that they score high in the list. (Significant swatches of China don't even get as far as connect-time rejection, as they're blocked by kernel IP filters.)

I suppose the most solid conclusion I can take away from this is that our problems come from all over. Just in the top-20 list alone we've hit most of the world's general areas with decent network infrastructure.

Written on 26 July 2005.
« Reliably archiving things
Spam Storm, July 26th 2005 »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jul 26 01:44:25 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.