You are here: Home > Publications > RIPE Labs > John S. Quarterman > A Year of Medical Organizations

A Year of Medical Organizations

John S. Quarterman — 22 May 2012
Peer rankings help keep medical organizations clean of spam. This is a follow-up to an earlier article: The Big Medical Drop in
Figure 1: 2011-2012 World Medical from cbl volume
Figure 1: 2011-2012 World Medical logo
from cbl volume

The Big Medical Drop in has mostly persisted since summer of last year. Various medical organizations appear briefly, but usually vanish from these rankings after they address their spam issues. Two organizations persisted for a year, and one still continues.

In Figure 1 the brown line for March-July 2011 and for January-March 2012 (see also Table 1 ) is for AS 22328 CSHS of the U.S. US , while the different color brown line for September-December 2011 is for AS 21992 SSHA-ONE-ASN of Canada CA . Those are two of many medical organizations that had brief spam infestations on a few computers that they found and fixed.

1 (1) AS 9208 WIN Belgium BE
2 (3) AS 38668 KONKUKHOSPITAL-AS-KR Korea, South KR
3 (10) AS 22644 TJUH United States US
4 (-) AS 25825 PVH-ASN-1 United States US
5 (2) AS 22328 CSHS United States US
6 (-) AS 25611 NSLIJHS United States US
Table 1: March 2012 World Medical logo
from CBL volume

The two ASNs that persisted in spamming for a year are AS 9208 WIN of Belgium BE and AS 38668 KONKUKHOSPITAL-AS-KR of Korea KR . While Konkuk Hospital's yellow line across the center of the graph stops in March 2012 because that ASN did not appear in the world medical top 10 for April 2012, WIN's orange line across the top continues.

Figure 2 shows that in April 2012 WIN had actually achieved zero spam (as detected by CBL) for a few days, but at the end of the month it started climbing back up the spam chart (blue line).

Figure 2: April 2012 World Medical from cbl volume
Figure 2: April 2012 World Medical logo
from cbl volume

In our drilldowns WIN shows signs of a variety of botnets, most recently cutwail and waledac. The other most persistent ASN, AS 38668 KONKUKHOSPITAL-AS-KR also shows botnet infestation signs, also including cutwail.

WIN appears to be a provider of computing services to medical organizations, different from the other organizations represented in these medical rankings; all the others are operators of hospitals or other medical establishments.

So it seems that these peer rankings are working for the actual peers shown in the rankings, but as much not for the one non-peer organization. Recent statistical analysis (submitted for publication elsewhere) indicates that this is indeed the case.

See Internet Reputation Experiments for Better Security (RIPE Labs 8 November 2010) and Rustock Botnet and ASNs (TPRC September 2011) for references and discussion of the peer comparison theory behind


This material is based upon work supported by the National Science Foundation under Grant No. 0831338. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

We also gratefully acknowledge custom data from CBL, PSBL, Fletcher Mattox and John B. Chambers of the University of Texas Computer Science Department, Quarterman Creations, Gretchen Phillips and GP Enterprise, and especially Team Cymru. None of them are responsible for anything we do, either.

John S. Quarterman for the IIAR project, Andrew B. Whinston PI.
antispam _at_ quarterman _dot_ com


Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.