A Year of SpamRankings.net: Medical Organizations
Figure 1: 2011-2012 World Medical
from cbl volume
The Big Medical Drop in SpamRankings.net has mostly persisted since summer of last year. Various medical organizations appear briefly, but usually vanish from these rankings after they address their spam issues. Two organizations persisted for a year, and one still continues.
In Figure 1 the brown line for March-July 2011 and for January-March 2012 (see also Table 1) is for AS 22328 CSHS of the US, while the different color brown line for September-December 2011 is for AS 21992 SSHA-ONE-ASN of CA. Those are two of many medical organizations that had brief spam infestations on a few computers that they found and fixed.
|1||(1)||AS 9208 WIN||BE|
|2||(3)||AS 38668 KONKUKHOSPITAL-AS-KR||KR|
|3||(10)||AS 22644 TJUH||US|
|4||(-)||AS 25825 PVH-ASN-1||US|
|5||(2)||AS 22328 CSHS||US|
|6||(-)||AS 25611 NSLIJHS||US|
|Table 1: March 2012 World Medical
from CBL volume
The two ASNs that persisted in spamming for a year are AS 9208 WIN of BE and AS 38668 KONKUKHOSPITAL-AS-KR of KR. While Konkuk Hospital's yellow line across the center of the graph stops in March 2012 because that ASN did not appear in the world medical top 10 for April 2012, WIN's orange line across the top continues.
Figure 2 shows that in April 2012 WIN had actually achieved zero spam (as detected by CBL) for a few days, but at the end of the month it started climbing back up the spam chart (blue line).
Figure 2: April 2012 World Medical
from cbl volume
In our drilldowns WIN shows signs of a variety of botnets, most recently cutwail and waledac. The other most persistent ASN, AS 38668 KONKUKHOSPITAL-AS-KR also shows botnet infestation signs, also including cutwail.
WIN appears to be a provider of computing services to medical organizations, different from the other organizations represented in these medical rankings; all the others are operators of hospitals or other medical establishments.
So it seems that these peer rankings are working for the actual peers shown in the rankings, but as much not for the one non-peer organization. Recent statistical analysis (submitted for publication elsewhere) indicates that this is indeed the case.
See Internet Reputation Experiments for Better Security (RIPE Labs 8 November 2010) and Rustock Botnet and ASNs (TPRC September 2011) for references and discussion of the peer comparison theory behind SpamRankings.net.
This material is based upon work supported by the National Science Foundation under Grant No. 0831338. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
We also gratefully acknowledge custom data from CBL, PSBL, Fletcher Mattox and John B. Chambers of the University of Texas Computer Science Department, Quarterman Creations, Gretchen Phillips and GP Enterprise, and especially Team Cymru. None of them are responsible for anything we do, either.
John S. Quarterman for the IIAR project, Andrew B. Whinston PI.
antispam _at_ quarterman _dot_ com