This articles reports from an analysis where we used REX to find out more information about the IP addresses used by Ukrtelecom after they were identified as a spam source.
Triggered by a post to email@example.com I decided to look into how our Resource Explainer tool can help find data and form an opinion on, in this case, correlation between specific netblocks and spam activity.
At RIPE59 we presented the Resource Explainer prototype (REX for short). Our goal for REX is to be a one-stop-shop for information you want to know about Internet number resources, so a use case provides a good opportunity to see if we meet our goal.
The anti-abuse post singled out Ukrtelecom as a spam source. Using the free-text RIPE Database search you can find out that the org-id for this organization is ORG-USTC1-RIPE . If you query the RIPE Database for org-id ORG-USTC1-RIPE you find 7 inetnum objects. REX has a blacklist module that uses spam blacklist data sources, and if you query this module for the ORG-USTC1-RIPE prefixes you can see for yourself if there is a correlation between spam blacklists and these netblocks:
The results for the uceprotect-level1 blacklist are interesting; this is a blacklist that marks individual IP addresses spam email originated from. Four of the blocks listed above have around 10% of individual IP addresses show up on this list, which is much higher than the average netblock that is in use ( try one of your own netblocks for comparison ).
Of course there are a couple of caveats:
- REX is only using 4 blacklists, which are not necessarily the best lists (for some definition of best). The anti-abuse post observation was specific for spam to forums, the blacklists currently are mainly related to email spam.
- Correlation is not necessarily causality, ie. if Ukrtelecom delegated blocks show up in blacklists, that doesn't necessarily mean that Urktelecom directly causes this.
I'd be interested to hear if people find this use of REX useful, and how we can make it better. One specific improvement I see we could make is including the forum-spam blacklist at http://www.stopforumspam.com/ .