| AS 21788 | NOC |
| AS 27229 | WEBHOST-ASN1 |
| AS 46475 | LIMESTONENETWORKS |
| AS 33055 | BCC-65-182-96-0-PHX |
| AS 15149 | EZZI-101-BGP |
| AS 13768 | PEER1 |
| AS 10439 | CARINET |
| AS 7796 | ATMLINK |
Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:
The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.
AS 21788 NOC was one of the first and worst affected by this spam surge:
You can see the very close correlation of the smooth curve for overall spam from AS 21788 (left axis) with the dotted curve for spam from Ogee (right axis).
AS 10439 CARINET was one of the least affected initially, but its infection by Ogee kept growing into March.
It finally peaked on 7 March.
AS 2914 NTT-COMMUNICATIONS-2914 had a correlation earlier in the month with a different botnet, darkmailer, plus Lethic and several others:
That darkmailer problem recurred at the end of February.
The only one of the U.S. top 10 not to have a spam surge correlated with any specific botnet was AS 20115 CHARTER-NET-HKY-NC. That’s the only ASN that improved in the rankings for February. Although that turned out to be only because the rest of the top 10 got so much worse:
Even Charter’s AS 20115 got a belated spam surge towards the end of February, although CBL tagged the spamming addresses as n/a, so we don’t know which botnet (if any) was causing it.
The one possible correlation in Peru’s top 10 for February 2012 is Telefonica del Peru’s AS 6147 SAA:
AS 6147 turns out to be indeterminate, since the biggest spam burst source was labelled n/a by CBL, which means CBL determined those messages were spam without having to dig deep enough to label the source by botnet. However, the second biggest burst, and one whose curve tracks the overall spam from AS 6147 very closely, is from cutwail.
Meanwhile in Canada, the big spam surge that made AS 32613 IWEB-AS number 1 for February:
Yes, that one correlates with Ogee, too. And it only got worse in March, finally peaking on 8 March 2012, a day after the similar surge peaked for AS 10439 CARINET.
So according to botnet labelling by CBL, 9 ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet.
Next: what other ASNs were affected by Ogee in the same time period?
-jsq
