REX and Ukrtelecom

Emile Aben — Oct 22, 2009 01:10 PM
Filed under: , , ,
This articles reports from an analysis where we used REX to find out more information about the IP addresses used by Ukrtelecom after they were identified as a spam source.

Triggered by a post to anti-abuse-wg _at_ ripe _dot_ net I decided to look into how our Resource Explainer tool can help find data and form an opinion on, in this case, correlation between specific netblocks and spam activity. 

At RIPE59 we presented the Resource Explainer prototype (REX for short). Our goal for REX is to be a one-stop-shop for information you want to know about Internet number resources, so a use case provides a good opportunity to see if we meet our goal. 

The anti-abuse post singled out Ukrtelecom as a spam source. Using the free-text RIPE Database search you can find out that the org-id for this organization is ORG-USTC1-RIPE . If you query the RIPE Database for org-id ORG-USTC1-RIPE you find 7 inetnum objects. REX has a blacklist module that uses spam blacklist data sources, and if you query this module for the ORG-USTC1-RIPE prefixes you can see for yourself if there is a correlation between spam blacklists and these netblocks:

The results for the uceprotect-level1 blacklist are interesting; this is a blacklist that marks individual IP addresses spam email originated from. Four of the blocks listed above have around 10% of individual IP addresses show up on this list, which is much higher than the average netblock that is in use ( try one of your own netblocks for comparison ).

Of course there are a couple of caveats:

  • REX is only using 4 blacklists, which are not necessarily the best lists (for some definition of best). The anti-abuse post observation was specific for spam to forums, the blacklists currently are mainly related to email spam.
  • Correlation is not necessarily causality, ie. if Ukrtelecom delegated blocks show up in blacklists, that doesn't necessarily mean that Urktelecom directly causes this.

I'd be interested to hear if people find this use of REX useful, and how we can make it better. One specific improvement I see we could make is including the forum-spam blacklist at http://www.stopforumspam.com/ .

0 Comments

Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.

Navigation
Related Items
Increased Reach of RIPE Atlas Anchors

Increasing the reach of RIPE Atlas anchors is one of the highest priority goals of RIPE Atlas Team. ...

Proposing Making RIPE Atlas Data More Public

RIPE Atlas is now three years old, and is moving from a prototype to production service. Based on ...

Modifications to the IP Analyser to Reflect New Policy

We are in the process of implementing the policy regarding Post Depletion Adjustment of Procedures ...

RIPE Atlas: Improved Probe Pages

We've made it much easier to get an overview of the history and measurements for all the public ...

RIPE Atlas Fun: Map a RIPE Atlas Anchor

View maps based on RIPE Atlas traceroute measurements. Compare the maps to the ISP's description of ...

more ...