[nsp-sec] Spammer IPs - looking for the malware
Nicholas Ianelli
ni at cert.org
Fri Mar 14 14:03:29 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
So I've received a few responses with Q's I should have already
addresses, my apologies, here is some additional data:
1.) I do not have access to the actual message(s) being sent, only
netflow data
2.) There is a chance of false positives, though I've been assured that
the information was combed through prior to being sent to me (removing
any FPs).
3.) The indicators that these are spam runs is based on "Spam Detection
at the ISP Level". The PDF can be found at:
http://www.cert.org/research/2007research-report.pdf
Page 32 (sorry best I could do).
Feel free to draw your own conclusions and address as you see fit. The
initial email as it was sent to me:
These hosts were classified as spammers, and then received the reply
email volumes shown at least 1 hour later from hosts that had received
email from the host during the hour it was classified as a spammer. The
list below is approximately 1/3 of the results collected over a six-hour
period (March 13, 2008 1:00am - 7:00am GMT) across the whole collection
framework.
- ----------
Basically those hosts that are believed to be sending spam, received
quite a few responses over an hour later.
Nick
Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> All,
>
> Below is a list of IPs that have been seen sending spam. These IPs have
> been collected over a six-hour period (March 13, 2008 1:00am -
> 7:00am GMT).
>
> Any help in tracking down the malware on the machines would be great
> (/me looks to Cogent or Internap :). I'm more than happy to work with
> any of your customers to try and obtain the malicious code, if this is
> feasible, please let me know prior to passing out my contact info.
>
> Thanks!
> Nick
>
> https://asn.cymru.com/nsp-sec/upload/1205514777.whois.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iD4DBQFH2r3xi10dJIBjZIARCAweAKC3N6Vl6QlKX21oefRxoUY+g0Y2BACVErpG
K2bn/iiI5sFVFGUrM0QAAg==
=4EVf
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list