Posted by: Karsten M. Self
on June 29, 2005 09:38 AM
I've been tracking email spam by ASN for some time. The basic theory is that there are some places from which abuse is far more likely to come than others.
I'm finding that the same rule applies to Wikis, as I also admin <a href="http://twiki.iwethey.org/" title="iwethey.org">TWikIWeThey</a iwethey.org>. In our case, it's AS4134 (China Telecom) which has been the overwhelming source of spam. The entire AS (you can get assignments from the <a href="http://www.cidr-report.org/" title="cidr-report.org">CIDR Report</a cidr-report.org>) is now null-routed at the server.
Looking over the spam reports at the Portland Pattern Repository, I'm finding a pretty familiar AS distribution, frequency and AS follow:
25 4814 CHINA169-BBN CNCGROUP IP networkChina169 Beijing Broadband Network
10 6800 SAMARA-INTERNET-AS Samara-Internet, Ltd
6 4812 CHINANET-SH-AP China Telecom (Group)
4 7470 ASIAINFO-AS-AP ASIA INFONET Co.,Ltd.
3 9394 CRNET CHINA RAILWAY Internet(CRNET)
3 9304 HUTCHISON-AS-AP Hutchison Global Communications
2 9931 CAT-AP The Communication Authoity of Thailand, CAT
2 8866 BTC-AS Bulgarian Telecommunication Company Plc.
2 7482 APOL-AS Asia Pacific On-line Service Inc.
2 3209 Arcor IP-Network
2 1680 NetVision Ltd.
2 15471 SNR-RO SNR - Societatea Nationala de Radiocomunicatii
To map IP to AS, you can use the reverse DNS server at asn.routeviews.org, txt field. See the <a href="http://www.routeviews.org/" title="routeviews.org">Routeviews Project</a routeviews.org> homepage for more information.
Learn about Linux
Download Linux
Get Linux help
Spam by ASN
Posted by: Karsten M. Self on June 29, 2005 09:38 AMI've been tracking email spam by ASN for some time. The basic theory is that there are some places from which abuse is far more likely to come than others.
I'm finding that the same rule applies to Wikis, as I also admin <a href="http://twiki.iwethey.org/" title="iwethey.org">TWikIWeThey</a iwethey.org>. In our case, it's AS4134 (China Telecom) which has been the overwhelming source of spam. The entire AS (you can get assignments from the <a href="http://www.cidr-report.org/" title="cidr-report.org">CIDR Report</a cidr-report.org>) is now null-routed at the server.
Looking over the spam reports at the Portland Pattern Repository, I'm finding a pretty familiar AS distribution, frequency and AS follow:
To map IP to AS, you can use the reverse DNS server at asn.routeviews.org, txt field. See the <a href="http://www.routeviews.org/" title="routeviews.org">Routeviews Project</a routeviews.org> homepage for more information.
#