The Internet's Bad Neighborhoods

An anonymous reader writes "Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the spamming IP addresses — and some ISPs have more than 60% of compromised hosts, mostly in Asia. Phishing Bad Neighborhoods, on the other hand, are mostly in the U.S. Also, there is a silent ticking 'spam' bomb in BRIC countries: if India would have the same Internet penetration rate as the United States while keeping its current ratio of malicious IP addresses, we would observe 200% more spamming IP addresses worldwide. These are just few of the striking results of an extensive study from the University of Twente, in The Netherlands, which scrutinizes the Internet Bad Neighborhoods to develop next-generation algorithms and solutions to better secure networks."

How is this news?

[Synerg1y]

Anybody who's worked at a datacenter has known this for years and years. And comparing them to bad neighbors is correct... if we didn't consider scope and the medium. It's a lot harder to police something that's not in physical form and is transitional, and A LOT harder when it's in a country you don't have jurisdiction over. Sure you could block these ISPs and in a lot of cases it makes sense, if your website is national, then it can save a lot of pain, but it's not the end all solution to spam.

Re:How is this news?

[phantomfive]

I wasn't aware of the India issue, were you?

Re:How is this news?

1. Where does it claim that this is news? 2. This is still useful information for those who haven't worked at a datacenter for years and years. 3. The news element is that they are working at an algorithm based on this information.

Re:How is this news?

[ninjacheeseburger]

Most of us don't work in datacenters.

I think this could easily become a huge issue. We are lucky that most phishing emails are of a very low standard and it's easy to spot the fakes.

I'm guessing that these developing countries don't take cyber crime to seriously at the moment, perhaps instead of governments pushing SOPA and and ACTA they could come up with agreements which will encourage BRIC nations to start cracking down on spammers before the problem gets out of hand.

Re:How is this news?

[Synerg1y]

India was called Eastern Europe a few years back in regards to spam. The locations may change, the concept of a botnet remains the same. Obviously, spammers will find the least regulated, easily available ISP around.

Re:How is this news?

Not everyone has worked in a datacenter, jackass. Many people never will.

Re:How is this news?

[Synerg1y]

And with enough resources they would... that's why the spammers pick them. But the problem is mobile, it moves from country to country, simply blocking IP blocks is a band aid solution.

Re:How is this news?

[Synerg1y]

Not everybody should care either, all the sheeple have to do is not open emails with malicious attachments, or give their bank account number to a Nigerian prince. Move along.

Re:How is this news?

[ninjacheeseburger]

And with enough resources they would...

China most defiantly has the resources, it just needs to put them in good use, instead of trying to block freedom of speech. Start putting pressure on ISPs that allow their networks to be abused. The spam might move between countries, but I assume the spammers themselves must be located somewhere.

Follow the money trail and start closing bank accounts.

Re:How is this news?

[thejynxed]

I was. India easily has the potential to quickly transform into the next "Nigeria" once their internet penetration gets large enough.

Combine millions of people in poverty with easy and less than honest ways to quickly swipe money from some "rich" foreigner?

We won't even get into their law enforcement practices.

Re:How is this news?

[EvilIdler]

Yeah, they move around as they get blocked/lose their accounts. More than half the spam *I* see nowadays seems to come from Ukraine or Spain. There used to be mostly spam originating from Brazil a while back, and a few years ago it was almost exclusively coming from Bulgaria. But the contents were the usual top 10. Most of the activity in general from Ukraine and Russia is people trying to get into Wordpress sites I run. Fail2ban and plugins take care of them, but I don't get why anyone would want to spend time on trying to get into blogs nobody reads :P Really - all the visitors are searchbots, spambots and intrusion attempts! If I remove some security measures the only people who'd be drive-by infected are other spammers and hackers.

Re:How is this news?

[Nostromo21]

Defiantly...?

I had the solution for virus/malware/spammers years ago: 6-12 of them each day hanging by their ankles naked in Times Square (or some other central location), on international tv for the duration; crowd can go to town on them from a short distance with verbal & organic 'substance' abuse of choice (just no serious/major physical damage allowed). I think within 6 months the problem would be down to 5-10% of the volumes it is now. :)

Re:How is this news?

[jrumney]

Tracking sources of spam seems to be the best way to see where growth is happening in internet connectivity. Remember when South Korea was the source of all our spam? For no other reason that there were a lot of very fast internet connections popping up faster than they were being secured.

Re:How is this news?

[tattood]

China most defiantly has the resources, ... Start putting pressure on ISPs that allow their networks to be abused.

I'm pretty sure that China's government doesn't care about the amount of spam being generated from their networks because the target of the spam is not their citizens, but rather people in other countries.

The wrong side of the internet railroad tracks

Hey little girl...yeah, you...come on over here...want a favorable meta-moderation? /trenchcoat

Block IP ranges by country

http://www.nirsoft.net/countryip/

Done!

Re:Block IP ranges by country

[Myself337]

Sounds great. While I block a few ranges from getting to my websites I have yet to find a reliable way to do this for my home computer and still be able to know that this is why .com isnt working. The ablitity to block some (most!) spam and garbage sites would be great but with no way to easily tell weather a site is down or im blocking it kinda cramps my style.

Re:Block IP ranges by country

[Bigbuzzman]

pfSense + pfBlocker works wonders at home.

Re:Block IP ranges by country

[xenobyte]

http://www.nirsoft.net/countryip/

Done!

I prefer to use: http://www.ipdeny.com/ - YMMV...

Drone Strikes

[stevegee58]

Doesn't sound like anything that a few drone strikes couldn't handle.

Big surprise

Other than the fact that something this obvious provided fodder for someone's PhD dissertation...

In summary the entire 245-page paper is an elaborate way of saying that blanket /24 IP range bans are an effective way of stopping spam. Oh, and that more people having computers connected to the internet in said "bad neighborhoods" will increase the amount of spam. Ladies and gentlemen, a new way to exclude developing nations from the Internet and look heroic while doing so.

Re:Big surprise

a new way to exclude developing nations from the Internet and look heroic while doing so.

When the main activity of an entire nation's TLD seems to be crimninal activity, what're we supposed to do? Bend over and grab our ankles? OH! Anything to avoid being falsely called "racist"!

Re:Big surprise

Just block the entire TLD. In your dns server. Works well on .in and .ru. And .cn.......

That is what you get with RIRs

[CBravo]

As seen at the abuse workgroup of RIPE (and I have not seen a sane discussion):

>> This is the draft agenda for the RIPE 66 meeting...
> No agenda item about defining (or refining the definition of) "abuse"?
Nope.

> I'd like to just reiterate my view that all other activities of this WG
> will be utterly fruitless until such time as a reasonable, rational, and
> generally accepted definition of "abuse" is in hand.

I genuinely don't think it will be useful to spend time on this.../snip

Re:That is what you get with RIRs

Is this for real?

How is any unsolicited email NOT abuse?

Either it comes from someone with a legitimate reason for emailing, or it is a mailing-list with an opt-out that works. The rest is abuse 100% of the time. This is not hard to figure out.

Re:That is what you get with RIRs

You're playing with the guy's words. You should quote the whole message, which makes a lot more sense (although I still don't agree with it):

I genuinely don't think it will be useful to spend time on this. I think
an attempt to get a consensual definition of abuse would take the whole
of the session in Dublin and every session thereafter and after all that
time, I still don't think we would have got anywhere. If the rest of the
WG disagrees with me, then we can raise it, but if n = the number of
people in the WG, I fear we would have n + 1 definitions.

Re:That is what you get with RIRs

[CBravo]

I opted to post the conclusion. Because there are all sorts of excuses to arrive at a bad conclusion.

Re:Mud People

[felipou]

Isn't this supposed to be /.?

Twente's Top Twenty Troublesome ISPs

Missed headline opportunity

Those aren't the phishers you're looking for

[Animats]

Those aren't the phishers you're really worried about. There seem to be about ten "usual suspects" we keep seeing on our phishing reports. The low-end ones are trolling for Habbo Hotel accounts. A few notches up are phony logins for bank accounts (PayPal and HSBC are popular targets. New this week: Swedish tax refunds. And, for some reason, several new phish sites for AOL 9.0 accounts.) We track these, but they're more of a nuisance than a real threat.

The ones to worry about are better targeted and are of better quality. Those are aimed at corporate login info. Those won't be seen by broad-based phishing detection services because they're only sent to people who might have those logins. So they tend not to be blacklisted.

Break it down per capita

[roman_mir]

Brazil: 196,655,014 people (World Bank)
Russia: 141,930,000 people
India: 1,241,491,960 people
China: 1,344,130,000 people

that's 2,924,206,974 people total.
world population: 6,973,738,433 people, so BRIC countries are 41% of the total in population.

FTFA:

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

so I take it "nearly half" is between 40% and 50%, but less than 50%. If it's over 41%, then what we are looking here is some form of distribution of 'nuisance' that is related to the actual population and it probably shows normal distribution.

Is this really a surprise?

Re:Break it down per capita

Population != internet users.

That was the point of the end of the summary. If India had the same number of users per capita as the US spam would go up by 200%.

Re:Break it down per capita

[roman_mir]

It doesn't have to be the same penetration to achieve 40-50% total usage, obviously there are fewer Internet users in India as proportion of population than in USA, however these are total numbers that matter here.

World Internet Users and Population Stats - by looking at this data one can sort of see why nearly half of the 'nuisance' comes from BRIC countries.

Re:Break it down per capita

[AK+Marc]

Yes, and when "China hacks US companies" we never see how many hacks on that company came from non-China addresses. If 1/100th of the attacks are Chinese in origin, why aren't we invading the US to stop the other 99/100, or wherever they are coming from? It seems to be an irrational nationalistic play, not an evaluation of risk and reasoned response to a threat.

Re:Break it down per capita

[stephanruby]

Yes, and when "China hacks US companies" we never see how many hacks on that company came from non-China addresses. If 1/100th of the attacks are Chinese in origin, why aren't we invading the US to stop the other 99/100, or wherever they are coming from?

Hacking attempts have different severity levels associated with them. Putting them all in the same bucket as if they were all equivalent would be disingenuous. Besides, no one rational is saying that we should be invading China over this. Also currently, if a hack is severe enough, and coming from the US, the police/FBI goes after them.

It seems to be an irrational nationalistic play, not an evaluation of risk and reasoned response to a threat.

That could be true. I'm not saying that it is, or that it is not. Personally, I just don't know.

Do you know? How do you know? Is this your field?

Re:Break it down per capita

Er.. you forgot the S in the BRICS , which is South Africa.
Population: 51,770,560

Re:Break it down per capita

[AK+Marc]

It is my field. I've never been "attacked" with a coordinated intrusion attempt. I've worked on systems that were hacked by script kiddies with no agenda (it was used only for warez, when they compromised a web server). But scans I get, and I've seen port scans referred to by the US government as "attacks" because that helps generate fear and hate in the population, which allows for money and power grabs. And those seem to be distributed more on the level of compromised machines, than concentration in areas where we have "enemies" (real or perceived).

As such, I would take the official numbers to be lies, until proven otherwise. Why? Because I have enough personal real-world experience in security to validate the implied raw numbers and invalidate the conclusions. That's why they'll never tell us enough to make up our own minds. Someone like me could prove in 5 minutes that all the conclusions are lies. So we only get false generalizations and, for all we know, 99.44% of Chinese attacks are false flag. Much like the claims that "an IP doesn't identify a person" in the copyright cases, the US is asserting that an IP from China is the government or an agent thereof. It could be a private Chinese citizen, or, more likely, someone from Russia or the US that runs a botnet.

Re:Break it down per capita

[cbiltcliffe]

Nowhere does it say the 20 ISPs responsible fr 41% of the spam are the only ISPs for the BRIC nations. Neither does it say they were all from BRIC nations.
If these assumptions of yours are invalid, and I suspect they are - only 20 ISPs for all of Russia and India? Really? - then your figures are comparing apples and chocolate cake.

Re:Break it down per capita

[reve_etrange]

What that concentration of spammers really suggests is control fraud at those ISPs...

Re:Break it down per capita

[BasilBrush]

Population != number of people with access to the Internet.

Re:Break it down per capita

Er.. you forgot the S in the BRICS

There was no S in BRIC until within the past year or two.

BRIC as a grouping long predates that.

Long before that, SA was the 14th largest economy in the World. It is now 28th, hence its alignment with the BRIC.

ovh dedicated servers

[richlv]

the "article" was very uninformative.
but lately on an opensource project blog lots of spam comes from "ovh dedicated servers" subnets. while it probably indicates doing well, it is not appreciated... blocked off a few subnets from them.

Re:ovh dedicated servers

[Tablizer]

the "article" was very uninformative.

That's because you live in a Bad Documentation neighborhood.

Re:The Internets "real" bad neighborhoods:

How is Al-Jazeera a bad neighbourhood? I found them to be a useful source during the Egyptian revolution, it is a western-style news channel from Arabia. Just because they have been sent tapes from terrorists does not mean that they support them, just as the guardian getting leaks from wikileaks does not mean that they support wikileaks.

hinet.net

[ewhac]

When I was using a FreeBSD box as the gateway to my home network, the crushing majority of the spam relay and SSH brute-forcing attempts came from machines inside hinet.net. I ended up black-holeing as many of their subnets as I could in the firewall.

Running your own gateway that does actual logging is an eye-opening experience. There are a phenomenal number of jerks out there...

Schwab

Final solution

[PopeRatzo]

Clearly the only solution is to only let the world's biggest telecoms provide Internet to people.

I would gladly take an Internet with some "bad neighborhoods" over a completely safe Internet provided by entirely by AT&T/Comcast and a handful of megacorps who are also involved in creating content.

The Internet/Media/Industrial Complex loves to tell us scary stories about how dangerous an "open" Internet can be. Apparently, the Internet, like the "free market" is only good if they can control it.

Just sell us some bandwidth and I'll look out for my own safety, thanks very much.

Re:Final solution

[jon3k]

The problem is the millions of people who are incapable of "looking out for themselves". Those are the machines that compromise the botnets spewing spam, brute forcing services and scanning for new nodes to add to the hive collective. If everyone was like you or I, this would be a non-issue.

Re:Final solution

I'd like to see 2 internets. One where I could use my banks web services and buy products from trusted vendors, and another one where use terms said something along the lines: "When you plug in the ethernet cable you surrender your computer for common use. If someone can hack it it's ok for them to do so. Use at your own risk." Too bad people want to be able to enforce distribution of media files, and there needs to be someone to hold responsible.

captcha: "echelon" I'm quite sure Skynet is here already.

Re:Final solution

[BasilBrush]

"Clearly the only solution is to only let the world's biggest telecoms provide Internet to people."

Straw man. It's a perfectly reasonable solution to weed out the "bad neighbours" rather than ban all smaller ISPs.

Re:Final solution

See pile of straw, know how badly those with resources want to construct a scarecrow. Doesn't invalidate the notion that any cure (whether the scarecrow or a different unstated remedy) could easily become worse than the disease once it is inevitably abused.

Re:Final solution

For the millions of people who are incapable of "looking out for themselves", I'd argue that the internet shouldn't be nerfed because they're ignorant (not necessarily a derogatory term, just lacking in the correct knowledge. Of course for many, it's as derogatory as is possible).

Just like driving a car. You don't just hop behind the wheel and hammer down on the gas pedal, you actually take LESSONS to be able to use it without harming yourself or others. That requires licensing however, so perhaps a better analogy would be using some farm equipment... say, a swather. If you have access to one, you can just hop on it and go nuts on a field. However, if you have no idea what you're doing, there's a pretty damn good chance you're going to harm yourself, something else, someONE else, if you even manage to get it moving in the first place. You would generally want to LEARN how to use one before you go and mow down your children and crash into the house. Just like with a computer... if you have no idea what you're doing, you learn to use it before getting into problems. Either take a class, have someone teach you, read a book... anything!

So stop trying to dumbassify the internet to cater to the absolute lowest common denominator. If someone's having a problem, they can get off their lazy ass and learn something new, instead of whining that it's not simple enough for their pet dog to use. Some of us actually WANT the functionality that comes with having to actually KNOW things.

Thanks a whole hell of a lot

[PopeRatzo]

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

And yet, the article neglects to tell us the names of those 20 ISPs.

It makes you wonder what they're really trying to accomplish with this "study". If they cared about people being safe in the Internet, they could start by telling us exactly where the "bad neighborhoods" are.

Re:Thanks a whole hell of a lot

[John+Bokma]

Yup. However: "Both an abstract and the full text of the PhD thesis entitled “Internet Bad Neighborhoods” are available on request.". Let's all request it, and maybe next time there will be a link to a pdf ;-).

Re:Thanks a whole hell of a lot

[ketamine-bp]

It's there.

http://doc.utwente.nl/84507/1/thesis_G_Moura.pdf

Re:The Internets "real" bad neighborhoods:

[aztracker1]

But... But... Terrorist Children!

OVH, yup

[John+Bokma]

Yup OVH is close to #1 spam source here. Good luck reaching their abuse desk. Another nasty one is Dimenoc. Spamcop seems to become more and more pointless as more and more abuse@ addresses bounce. Furthermore, in my experience, more and more ISPs start using their own forms for reporting... Handling abuse costs time, time = money; it's a whining geek versus a paying customer. And as long as they can get away with it, they prefer the latter (and hence make it very hard for the former to contact them).

Re:OVH, yup

[CBravo]

I have a complete opposite issue. The people with the blocklists, private (e.g. Mimecast, Cleanmail) or public (e.g. URIBL), refuse to say which customer ended me on the blocklist.

I really want to punish the customer that put me there but they give me 0 information, no mail to abuse@, even on request. Or they say: You were on the list, but now you are not (ergo: problem solved). I disagree here: It is not solved until I got the spammert. They just don't care that valid email does not arrive. Sometimes even their customers come to me about this ...

Re:OVH, yup

[John+Bokma]

Do you ever get reports from SpamCop? If not, you might want to verify that you have a working abuse@...

Re:OVH, yup

[CBravo]

Way ahead of you. To sum up most of it (and some more of my own), see here at MailChimp.

Unsecure servers but not the real source

[Saithe]

They're right in that the SPAM comes from servers in those countries, but they are most probably not the original source. I would not be surprised if the only thing they are guilty of is insecure and badly maintained servers that someone found and is utilizing for sending SPAM, and to find the real culprit you'd have to analyse the log-files of every server.

Re:Unsecure servers but not the real source

[reve_etrange]

Maybe, but it seems unlikely that there would be such an extreme concentration (more than half the spam from 20 ISPs out of 42,000) if it were unsecured servers. More likely those few ISPs are conducting or profiting from the spam.

When did spam become evil?

Spam is how these people make money. By blocking spam, you're denying them their revenue.

Block some

[statsone]

ended up blocking anyone in China from accessing sites on my server. After seeing a lot of attacks from Seychelles (SC), blocked that country as well. A lot less spam and attacks.

Two reasons

[dutchwhizzman]

There are two reasons why we are seeing this in the news.

First, it's because China is currently a main economic "enemy" to a lot of western economies when it comes to "jobs" and "quality". These are mainly economy based attacks where trade secrets are the main target. Some are politically based, some are military intel based, but the majority is about economic advantage.

The second reason is that China is hardly trying to disguise that it's a large, government organized and funded group of hackers that is doing this. If Japan, Korea, Russia and China would each be getting large amounts of spear fishing hacking attempts that all originate from the IP addresses of the Pentagon, it would be all over the news as well. The USA is probably doing just the same, either government or private company sponsored. The big difference is that it's not possible to link it without reasonable doubt to a single government controlled source, if any correlations can be made at all.

Re:Two reasons

[AK+Marc]

First, it's because China is currently a main economic "enemy" to a lot of western economies when it comes to "jobs" and "quality". These are mainly economy based attacks where trade secrets are the main target. Some are politically based, some are military intel based, but the majority is about economic advantage.

Yes, if it's a military attack, we might ignore it. If profits are threatened, we must stir the populous into a frenzy. It doesn't even have to be true, the effect of the propaganda campaign will still help secure profits.

The second reason is that China is hardly trying to disguise that it's a large, government organized and funded group of hackers that is doing this. If Japan, Korea, Russia and China would each be getting large amounts of spear fishing hacking attempts that all originate from the IP addresses of the Pentagon, it would be all over the news as well

How would China conceal something they aren't involved in? And are they really tracing them back to the Chinese military? I've not seen documentation of that, usually they end up tracking it down to some guy in his home, they assert him to be a military operation, or something like that. Yes, if it was traced to the Pentagon, it would be interested, But it's not coming from the Chinese military directly. If it were, why is the US publicly accusing them while withholding all incriminating evidence?

Great

I want their IP ranges so only my firewalls will ever see them again.

Block it

[xenobyte]

Simple fix: If the list of ISPs really is that short, just block their prefixes in the core infrastructure and announce this. This way the genuine customers would flee and the ISPs would wise up and kick the spammers. Once unblocked the genuine customers would return (or stop fleeing).

If we're talking about zombie armies doing direct-to-MX spamming, just block that port 25 outbound dammit! - It's a painfully simple fix for any ISP-sysadm. If a zombie cannot spam it's a lot less interesting. If it's located in a BRIC country, chances are there's no money to steal from an online bank, so its only remaining use is as a DDoS participant.

Patroling the Internet

[Max_W]

Often spam is sent from legitimate websites via a malicious script, which is planted there by hackers for spammers.

Humans in general and spammers in particular are very inventive. Automated filters alone are no match for spammers.

The same way, as any attempt to guard prisoners without human guards turned out to be a failure. Prisoners lure dogs, map mines, penetrate electric schemes of perimeter fences, etc.

It makes sense for website owners to participate with a human effort in paroling of the Internet. For example, reporting disguised spam messages to the Spam Black-hole: http://blackhole.mx/ or other reporting services.

By reducing financial attractiveness of spam, they would guard an integrity of their websites, and prevent turning the Internet from an effective global network into the garbage dump.

I want bad ISP

I want a bad ISP so they won't kick back my email saying it's spam when it's just a letter to my dad. FUCK CHARTER COMMUNICATIONS!!!

Yep

Yep. Permit me a tangent... /ranton
"Terrorists!" = let us (the US gov't) wire tap you, monitor your banking activity, and make it so free speech, protection against illegal search and seizure, and right to counsel (or to even know what charges are being brought against you) are no longer protected by law. Now "Chinese hackerz!" will = give us (the US gov't) free reign to monitor all Internet traffic and IPs without warrant and build tactical hacker teams in the NSA who's scope outreaches self defense (i.e., give us the right to hack - or turn off - citizens).

More fear = more liberty taken. And because we're scared, we'll give it away.
Gov't says, "Go about you're business, we'll take care of this big scary thing for you - just grant us the ability to do whatever we need to do to get the job done."
We say, "Please protect us fro that big scary thing. Yes, do whatever you need to do."
3 months later.... "Hey, um....why did I get 'visited' by people in dark suits and sunglasses grilling me about my banking history and things I've said in social media?"

Our governments have done more to scare us than terrorists ever have. /rantoff

Enough ignoring the sources!

[whitroth]

I am *so* tired of China! China! China!

I work for a federal contracttor at a US gov't non-military agency. Yeah, we get our daily dose of Chinese trying to break in with ssh... but we get as many or more from:
      - the Netherlands
      - Brazil
and well below that, Italy, Turkey, Hungary, Kazakhstan, etc.

Do something about Brazil and the Netherlands, guys!

Re:The Internets "real" bad neighborhoods:

Facebook.
4chan.
AOL.com.
wikipedia.
wethepeople.
reddit.
thepiratebay.
al jazeera.
wikileaks.
anandtech.
tomshardware.
urbandictionary.
myfreecams.
engadget.
isohunt.
newegg.

slashdot

FTFY

The icon of this post

Says "censorship", so you are saying that if spam is free expression after all, ./ ?

Re:The Internets "real" bad neighborhoods:

it is a western-style news channel from Arabia.

try the version not directed at westerners.