The Internet's Bad Neighborhoods

An anonymous reader writes "Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the spamming IP addresses — and some ISPs have more than 60% of compromised hosts, mostly in Asia. Phishing Bad Neighborhoods, on the other hand, are mostly in the U.S. Also, there is a silent ticking 'spam' bomb in BRIC countries: if India would have the same Internet penetration rate as the United States while keeping its current ratio of malicious IP addresses, we would observe 200% more spamming IP addresses worldwide. These are just few of the striking results of an extensive study from the University of Twente, in The Netherlands, which scrutinizes the Internet Bad Neighborhoods to develop next-generation algorithms and solutions to better secure networks."

How is this news?

[Synerg1y]

Anybody who's worked at a datacenter has known this for years and years. And comparing them to bad neighbors is correct... if we didn't consider scope and the medium. It's a lot harder to police something that's not in physical form and is transitional, and A LOT harder when it's in a country you don't have jurisdiction over. Sure you could block these ISPs and in a lot of cases it makes sense, if your website is national, then it can save a lot of pain, but it's not the end all solution to spam.

Re:

[phantomfive]

I wasn't aware of the India issue, were you?

Re:

[Synerg1y]

India was called Eastern Europe a few years back in regards to spam. The locations may change, the concept of a botnet remains the same. Obviously, spammers will find the least regulated, easily available ISP around.

Re:

[jrumney]

Tracking sources of spam seems to be the best way to see where growth is happening in internet connectivity. Remember when South Korea was the source of all our spam? For no other reason that there were a lot of very fast internet connections popping up faster than they were being secured.

Re:

[thejynxed]

I was. India easily has the potential to quickly transform into the next "Nigeria" once their internet penetration gets large enough.

Combine millions of people in poverty with easy and less than honest ways to quickly swipe money from some "rich" foreigner?

We won't even get into their law enforcement practices.

Re:

[Anonymous Coward]

1. Where does it claim that this is news? 2. This is still useful information for those who haven't worked at a datacenter for years and years. 3. The news element is that they are working at an algorithm based on this information.

Re:How is this news?

[ninjacheeseburger]

Most of us don't work in datacenters.

I think this could easily become a huge issue. We are lucky that most phishing emails are of a very low standard and it's easy to spot the fakes.

I'm guessing that these developing countries don't take cyber crime to seriously at the moment, perhaps instead of governments pushing SOPA and and ACTA they could come up with agreements which will encourage BRIC nations to start cracking down on spammers before the problem gets out of hand.

Re:

[Synerg1y]

And with enough resources they would... that's why the spammers pick them. But the problem is mobile, it moves from country to country, simply blocking IP blocks is a band aid solution.

Re:

[ninjacheeseburger]

And with enough resources they would...

China most defiantly has the resources, it just needs to put them in good use, instead of trying to block freedom of speech. Start putting pressure on ISPs that allow their networks to be abused. The spam might move between countries, but I assume the spammers themselves must be located somewhere.

Follow the money trail and start closing bank accounts.

Re:

[Nostromo21]

Defiantly...?

I had the solution for virus/malware/spammers years ago: 6-12 of them each day hanging by their ankles naked in Times Square (or some other central location), on international tv for the duration; crowd can go to town on them from a short distance with verbal & organic 'substance' abuse of choice (just no serious/major physical damage allowed). I think within 6 months the problem would be down to 5-10% of the volumes it is now. :)

Re:

[tattood]

China most defiantly has the resources, ... Start putting pressure on ISPs that allow their networks to be abused.

I'm pretty sure that China's government doesn't care about the amount of spam being generated from their networks because the target of the spam is not their citizens, but rather people in other countries.

Re:

[EvilIdler]

Yeah, they move around as they get blocked/lose their accounts. More than half the spam *I* see nowadays seems to come from Ukraine or Spain. There used to be mostly spam originating from Brazil a while back, and a few years ago it was almost exclusively coming from Bulgaria. But the contents were the usual top 10. Most of the activity in general from Ukraine and Russia is people trying to get into Wordpress sites I run. Fail2ban and plugins take care of them, but I don't get why anyone would want to spend

Re:

[Synerg1y]

Not everybody should care either, all the sheeple have to do is not open emails with malicious attachments, or give their bank account number to a Nigerian prince. Move along.

The wrong side of the internet railroad tracks

[Anonymous Coward]

Hey little girl...yeah, you...come on over here...want a favorable meta-moderation? /trenchcoat

Re:

[Anonymous Coward]

How is Al-Jazeera a bad neighbourhood? I found them to be a useful source during the Egyptian revolution, it is a western-style news channel from Arabia. Just because they have been sent tapes from terrorists does not mean that they support them, just as the guardian getting leaks from wikileaks does not mean that they support wikileaks.

Re:

[aztracker1]

But... But... Terrorist Children!

Re:

[Myself337]

Sounds great. While I block a few ranges from getting to my websites I have yet to find a reliable way to do this for my home computer and still be able to know that this is why .com isnt working. The ablitity to block some (most!) spam and garbage sites would be great but with no way to easily tell weather a site is down or im blocking it kinda cramps my style.

Re:

[Bigbuzzman]

pfSense + pfBlocker works wonders at home.

Re:

[xenobyte]

http://www.nirsoft.net/countryip/

Done!

I prefer to use: http://www.ipdeny.com/ [ipdeny.com] - YMMV...

Drone Strikes

[stevegee58]

Doesn't sound like anything that a few drone strikes couldn't handle.

Big surprise

[Anonymous Coward]

Other than the fact that something this obvious provided fodder for someone's PhD dissertation...

In summary the entire 245-page paper is an elaborate way of saying that blanket /24 IP range bans are an effective way of stopping spam. Oh, and that more people having computers connected to the internet in said "bad neighborhoods" will increase the amount of spam. Ladies and gentlemen, a new way to exclude developing nations from the Internet and look heroic while doing so.

Re:

[Anonymous Coward]

a new way to exclude developing nations from the Internet and look heroic while doing so.

When the main activity of an entire nation's TLD seems to be crimninal activity, what're we supposed to do? Bend over and grab our ankles? OH! Anything to avoid being falsely called "racist"!

That is what you get with RIRs

[CBravo]

As seen at the abuse workgroup of RIPE [ripe.net] (and I have not seen a sane discussion):

>> This is the draft agenda for the RIPE 66 meeting...
> No agenda item about defining (or refining the definition of) "abuse"?
Nope.

> I'd like to just reiterate my view that all other activities of this WG
> will be utterly fruitless until such time as a reasonable, rational, and
> generally accepted definition of "abuse" is in hand.

I genuinely don't think it will be useful to spend time on this.../snip

Re:

[Anonymous Coward]

Is this for real?

How is any unsolicited email NOT abuse?

Either it comes from someone with a legitimate reason for emailing, or it is a mailing-list with an opt-out that works. The rest is abuse 100% of the time. This is not hard to figure out.

Re:

[Anonymous Coward]

You're playing with the guy's words. You should quote the whole message, which makes a lot more sense (although I still don't agree with it):

I genuinely don't think it will be useful to spend time on this. I think
an attempt to get a consensual definition of abuse would take the whole
of the session in Dublin and every session thereafter and after all that
time, I still don't think we would have got anywhere. If the rest of the
WG disagrees with me, then we can raise it, but if n = the number of
people in the WG

Re:

[CBravo]

I opted to post the conclusion. Because there are all sorts of excuses to arrive at a bad conclusion.

Twente's Top Twenty Troublesome ISPs

[Anonymous Coward]

Missed headline opportunity

Those aren't the phishers you're looking for

[Animats]

Those aren't the phishers you're really worried about. There seem to be about ten "usual suspects" we keep seeing on our phishing reports. The low-end ones are trolling for Habbo Hotel accounts. A few notches up are phony logins for bank accounts (PayPal and HSBC are popular targets. New this week: Swedish tax refunds. And, for some reason, several new phish sites for AOL 9.0 accounts.) We track these, but they're more of a nuisance than a real threat.

The ones to worry about are better targeted and are of better quality. Those are aimed at corporate login info. Those won't be seen by broad-based phishing detection services because they're only sent to people who might have those logins. So they tend not to be blacklisted.

Break it down per capita

[roman_mir]

Brazil: 196,655,014 people (World Bank)
Russia: 141,930,000 people
India: 1,241,491,960 people
China: 1,344,130,000 people

that's 2,924,206,974 people total.
world population: 6,973,738,433 people, so BRIC countries are 41% of the total in population.

FTFA:

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

so I take it "nearly half" is between 40% and 50%, but less than 50%. If it's over 41%, then what we are looking here is some form of distribution of 'nuisance' that is related to the actual population and it probably shows normal distribution.

Is this really a surprise?

Re:

[roman_mir]

It doesn't have to be the same penetration to achieve 40-50% total usage, obviously there are fewer Internet users in India as proportion of population than in USA, however these are total numbers that matter here.

World Internet Users and Population Stats [internetworldstats.com] - by looking at this data one can sort of see why nearly half of the 'nuisance' comes from BRIC countries.

Re:

[AK Marc]

Yes, and when "China hacks US companies" we never see how many hacks on that company came from non-China addresses. If 1/100th of the attacks are Chinese in origin, why aren't we invading the US to stop the other 99/100, or wherever they are coming from? It seems to be an irrational nationalistic play, not an evaluation of risk and reasoned response to a threat.

Re:

[stephanruby]

Yes, and when "China hacks US companies" we never see how many hacks on that company came from non-China addresses. If 1/100th of the attacks are Chinese in origin, why aren't we invading the US to stop the other 99/100, or wherever they are coming from?

Hacking attempts have different severity levels associated with them. Putting them all in the same bucket as if they were all equivalent would be disingenuous. Besides, no one rational is saying that we should be invading China over this. Also currently, if a hack is severe enough, and coming from the US, the police/FBI goes after them.

It seems to be an irrational nationalistic play, not an evaluation of risk and reasoned response to a threat.

That could be true. I'm not saying that it is, or that it is not. Personally, I just don't know.

Do you know? How do you know? Is this your field?

Re:Break it down per capita

[AK Marc]

It is my field. I've never been "attacked" with a coordinated intrusion attempt. I've worked on systems that were hacked by script kiddies with no agenda (it was used only for warez, when they compromised a web server). But scans I get, and I've seen port scans referred to by the US government as "attacks" because that helps generate fear and hate in the population, which allows for money and power grabs. And those seem to be distributed more on the level of compromised machines, than concentration in areas where we have "enemies" (real or perceived).

As such, I would take the official numbers to be lies, until proven otherwise. Why? Because I have enough personal real-world experience in security to validate the implied raw numbers and invalidate the conclusions. That's why they'll never tell us enough to make up our own minds. Someone like me could prove in 5 minutes that all the conclusions are lies. So we only get false generalizations and, for all we know, 99.44% of Chinese attacks are false flag. Much like the claims that "an IP doesn't identify a person" in the copyright cases, the US is asserting that an IP from China is the government or an agent thereof. It could be a private Chinese citizen, or, more likely, someone from Russia or the US that runs a botnet.

Two reasons

[dutchwhizzman]

There are two reasons why we are seeing this in the news.

First, it's because China is currently a main economic "enemy" to a lot of western economies when it comes to "jobs" and "quality". These are mainly economy based attacks where trade secrets are the main target. Some are politically based, some are military intel based, but the majority is about economic advantage.

The second reason is that China is hardly trying to disguise that it's a large, government organized and funded group of hackers that is d

Re:

[AK Marc]

First, it's because China is currently a main economic "enemy" to a lot of western economies when it comes to "jobs" and "quality". These are mainly economy based attacks where trade secrets are the main target. Some are politically based, some are military intel based, but the majority is about economic advantage.

Yes, if it's a military attack, we might ignore it. If profits are threatened, we must stir the populous into a frenzy. It doesn't even have to be true, the effect of the propaganda campaign will still help secure profits.

The second reason is that China is hardly trying to disguise that it's a large, government organized and funded group of hackers that is doing this. If Japan, Korea, Russia and China would each be getting large amounts of spear fishing hacking attempts that all originate from the IP addresses of the Pentagon, it would be all over the news as well

How would China conceal something they aren't involved in? And are they really tracing them back to the Chinese military? I've not seen documentation of that, usually they end up tracking it down to some guy in his home, they assert him to be a military operation, or something like tha

Re:

[cbiltcliffe]

Nowhere does it say the 20 ISPs responsible fr 41% of the spam are the only ISPs for the BRIC nations. Neither does it say they were all from BRIC nations.
If these assumptions of yours are invalid, and I suspect they are - only 20 ISPs for all of Russia and India? Really? - then your figures are comparing apples and chocolate cake.

Re:

[reve_etrange]

What that concentration of spammers really suggests is control fraud at those ISPs...

Re:

[BasilBrush]

Population != number of people with access to the Internet.

ovh dedicated servers

[richlv]

the "article" was very uninformative.
but lately on an opensource project blog lots of spam comes from "ovh dedicated servers" subnets. while it probably indicates doing well, it is not appreciated... blocked off a few subnets from them.

Re:

[Tablizer]

the "article" was very uninformative.

That's because you live in a Bad Documentation neighborhood.

OVH, yup

[John Bokma]

Yup OVH is close to #1 spam source here. Good luck reaching their abuse desk. Another nasty one is Dimenoc. Spamcop seems to become more and more pointless as more and more abuse@ addresses bounce. Furthermore, in my experience, more and more ISPs start using their own forms for reporting... Handling abuse costs time, time = money; it's a whining geek versus a paying customer. And as long as they can get away with it, they prefer the latter (and hence make it very hard for the former to contact them).

Re:

[CBravo]

I have a complete opposite issue. The people with the blocklists, private (e.g. Mimecast, Cleanmail) or public (e.g. URIBL), refuse to say which customer ended me on the blocklist.

I really want to punish the customer that put me there but they give me 0 information, no mail to abuse@, even on request. Or they say: You were on the list, but now you are not (ergo: problem solved). I disagree here: It is not solved until I got the spammert. They just don't care that valid email does not arrive. Sometimes eve

Re:

[John Bokma]

Do you ever get reports from SpamCop? If not, you might want to verify that you have a working abuse@...

Re:

[CBravo]

Way ahead of you. To sum up most of it (and some more of my own), see here at MailChimp [mailchimp.com].

hinet.net

[ewhac]

When I was using a FreeBSD box as the gateway to my home network, the crushing majority of the spam relay and SSH brute-forcing attempts came from machines inside hinet.net. I ended up black-holeing as many of their subnets as I could in the firewall.

Running your own gateway that does actual logging is an eye-opening experience. There are a phenomenal number of jerks out there...

Schwab

Final solution

[PopeRatzo]

Clearly the only solution is to only let the world's biggest telecoms provide Internet to people.

I would gladly take an Internet with some "bad neighborhoods" over a completely safe Internet provided by entirely by AT&T/Comcast and a handful of megacorps who are also involved in creating content.

The Internet/Media/Industrial Complex loves to tell us scary stories about how dangerous an "open" Internet can be. Apparently, the Internet, like the "free market" is only good if they can control it.

Just sell us some bandwidth and I'll look out for my own safety, thanks very much.

Re:

[jon3k]

The problem is the millions of people who are incapable of "looking out for themselves". Those are the machines that compromise the botnets spewing spam, brute forcing services and scanning for new nodes to add to the hive collective. If everyone was like you or I, this would be a non-issue.

Re:

[BasilBrush]

"Clearly the only solution is to only let the world's biggest telecoms provide Internet to people."

Straw man. It's a perfectly reasonable solution to weed out the "bad neighbours" rather than ban all smaller ISPs.

Thanks a whole hell of a lot

[PopeRatzo]

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

And yet, the article neglects to tell us the names of those 20 ISPs.

It makes you wonder what they're really trying to accomplish with this "study". If they cared about people being safe in the Internet, they could start by telling us exactly where the "bad neighborhoods" are.

Re:

[John Bokma]

Yup. However: "Both an abstract and the full text of the PhD thesis entitled “Internet Bad Neighborhoods” are available on request.". Let's all request it, and maybe next time there will be a link to a pdf ;-).

Re:

[ketamine-bp]

It's there.

http://doc.utwente.nl/84507/1/thesis_G_Moura.pdf

Unsecure servers but not the real source

[Saithe]

They're right in that the SPAM comes from servers in those countries, but they are most probably not the original source. I would not be surprised if the only thing they are guilty of is insecure and badly maintained servers that someone found and is utilizing for sending SPAM, and to find the real culprit you'd have to analyse the log-files of every server.

Re:

[reve_etrange]

Maybe, but it seems unlikely that there would be such an extreme concentration (more than half the spam from 20 ISPs out of 42,000) if it were unsecured servers. More likely those few ISPs are conducting or profiting from the spam.

When did spam become evil?

[Anonymous Coward]

Spam is how these people make money. By blocking spam, you're denying them their revenue.

Block some

[statsone]

ended up blocking anyone in China from accessing sites on my server. After seeing a lot of attacks from Seychelles (SC), blocked that country as well. A lot less spam and attacks.

Block it

[xenobyte]

Simple fix: If the list of ISPs really is that short, just block their prefixes in the core infrastructure and announce this. This way the genuine customers would flee and the ISPs would wise up and kick the spammers. Once unblocked the genuine customers would return (or stop fleeing).

If we're talking about zombie armies doing direct-to-MX spamming, just block that port 25 outbound dammit! - It's a painfully simple fix for any ISP-sysadm. If a zombie cannot spam it's a lot less interesting. If it's located

Patroling the Internet

[Max_W]

Often spam is sent from legitimate websites via a malicious script, which is planted there by hackers for spammers.

Humans in general and spammers in particular are very inventive. Automated filters alone are no match for spammers.

The same way, as any attempt to guard prisoners without human guards turned out to be a failure. Prisoners lure dogs, map mines, penetrate electric schemes of perimeter fences, etc.

It makes sense for website owners to participate with a human effort in paroling of the Int

Enough ignoring the sources!

[whitroth]

I am *so* tired of China! China! China!

I work for a federal contracttor at a US gov't non-military agency. Yeah, we get our daily dose of Chinese trying to break in with ssh... but we get as many or more from:
      - the Netherlands
      - Brazil
and well below that, Italy, Turkey, Hungary, Kazakhstan, etc.

Do something about Brazil and the Netherlands, guys!