Saturday, July 25, 2009

Bad spammer neighborhoods

I've been collecting data about IPs that have been attempting to spam my mail server for the past few months, and today I decided to take a look at what neighborhoods of /24 networks are the most heavily populated with spamming IPs.

Here's the list of the top ten "worst neighborhoods" trying to send me spam, mostly with dictionary attacks against my domain. These are all blocked by the CBL, so none of this spam actually gets through, but it ties up my bandwidth.

I've put an asterisk (*) next to the ranges that are probably actually smaller than /24s based on the distribution of IPs.

Does anybody have a tool that already exists to identify likely bad ranges to block based on the distribution of known bad IPs? All I did here was count IPs within a /24, but it would be nicer to identify the likely ranges of badness at both a more fine-grained and broader level.

Note that these bad neighborhoods may be neighborhoods of poorly secured machines, or they may be neighborhoods of malicious machines. Either way, the providers are not doing a good job of cracking down on malicious activity from their networks.

1. 64.32.26.0/24 (25 IPs)
45 46 51 52 54 66 68 73 81 90 100 102 104 111 113 126 155 157 163 168 194 199 204 236 242
AS 46844 | 64.32.26.0 | ST-BGP - SHARKTECH INTERNET SERVICES
Upstream provider: AS 7922 | 64.32.26.0 | COMCAST-7922 - Comcast Cable Communications, Inc.

*2. 89.232.105.0/24 (24 IPs)
21 24 29 32 48 57 59 63 64 68 76 89 93 94 97 101 103 107 114 117 126 129 137 139
AS 28840 | 89.232.105.0 | TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
Upstream provider: AS 6854 | 89.232.105.0 | SYNTERRA-AS SYNTERRA Joint Stock Company 64.32.26.0

3. 208.84.243.0/24 (20 IPs)
13 30 63 68 78 92 99 123 148 150 175 176 179 185 196 199 216 219 226 250
AS 40260 | 208.84.243.0 | TERRA-NETWORKS-MIAMI - Terra Networks Operations Inc.
Upstream provider: AS 22364 | 208.84.243.0 | AS-22364 - Telefonica USA, Inc.

*4. 83.149.3.0/24 (17 IPs)
5 6 12 14 16 18 21 22 25 28 30 40 42 47 48 51 63
AS 31213 | 83.149.3.0 | MF-NWGSM-AS OJSC MegaFon Network
Upstream providers: AS 12389 | 83.149.3.0 | ROSTELECOM-AS JSC Rostelecom
AS 20485 | 83.149.3.0 | TRANSTELECOM JSC Company TransTeleCom

*5. 76.164.227.0/24 (16 IPs)
138 155 159 174 182 186 194 199 202 206 210 218 222 230 238 246
AS 36114 | 76.164.227.0 | RDTECH-ASN - R & D Technologies, LLC
Upstream providers: AS 6473 | 76.164.227.0 | WCIXN4 - WCIX.Net, Inc.
AS 35937 | 76.164.227.0 | MARQUISNET - MarquisNet LLC

6. 76.164.232.0/24 (15 IPs)
13 21 24 33 36 38 40 43 48 57 198 206 218 232 234
AS 36114 | 76.164.232.0 | RDTECH-ASN - R & D Technologies, LLC
Upstream providers: AS 6473 | 76.164.227.0 | WCIXN4 - WCIX.Net, Inc.
AS 35937 | 76.164.227.0 | MARQUISNET - MarquisNet LLC

7. 77.120.128.0/24 (15 IPs)
20 37 50 85 93 104 107 112 159 162 187 232 239 248 252
AS 43011 | 77.120.128.0 | DATASVIT-AS ISP Datasvit AS Number
Upstream provider: AS 25229 | 77.120.128.0 | VOLIA-AS Volia Autonomous System

*8. 78.138.170.0/24 (12 IPs)
66 68 77 78 160 166 178 189 190 193 202 211
AS 28840 | 78.138.170.0 | TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
Upstream provider: AS 6854 | 89.232.105.0 | SYNTERRA-AS SYNTERRA Joint Stock Company 64.32.26.0

9. 77.232.143.0/24 (12 IPs)
33 37 40 63 69 104 175 182 190 215 218 251
AS 42145 | 77.232.143.0 | BSTV-AS OOO Bryansk Svyaz-TV
Upstream provider: AS 20485 | 77.232.143.0 | TRANSTELECOM JSC Company TransTeleCom

*10. 95.154.113.0/24 (12 IPs)
140 178 181 185 193 195 197 206 218 246 248 254
AS 44724 | 95.154.113.0 | OCTOPUSNET-AS Octopusnet LTD
Upstream provider: AS 34470 | 95.154.113.0 | PTKOM-AS PortTelekom Autonomous system

No comments: