 We have been watching the Nationwide Insurance Network for a few months now, and have been impressed with the spam/ham ratio. Its spammyness is something like 100:1 in spam to ham. We have collected some 1,857 SPAM from 6 IP addresses on Nationwide's Network. The breakdown of spam and the hosts that sent it out are listed below:  The kinds of spam we received from Nationwide included Pharmacy spam advocating various Erectile Dysfunctions drugs, Rolex watches, graphic pornography, mortgage loans, weight loss and stock pump-n-dump. While writing this blog post we received 10 more stock pump-n-dumps touting stock ticker EKII which is down 9% as of Monday evening. Senderbase.com lists 155.188.254.1 as having a 10% increase in daily activity and notes that the host is blacklisted by SORBS. The main question is if any of Nationwide's consumer data was compromised. We believe that 155.188.254.1 is an outbound NAT and that the 1,342 SPAM emitted from that IP address represent some set of internal machines that are compromised. The way that the headers were forged leads us to believe that there were several machines behind the suspected NAT. Most malware does some form of key logging or post logging. Could an infection of this size compromise the integrity of their consumer data? Remember that in the TJX Data Breach researchers still don't understand how they got in, how they unencryped the data and the company is currently facing litigation in excess of over 1.6 Billion. CISOs need to understand that todays malware easily captures data before it gets encrypted and moves it off corporate networks without setting off an IDS. A good hint -- if your company is sending out spam you probably have a good botnet infection. When we finally do get an IT security manager on the phone the first question they ask is if any of these spam have been forged. We answer this question as follows: - We track all BGP announcements since Jan 2005. We monitor the BGP at several locations including our trap locations.
- We match up any bogons or route hijackings with the TCP connect data our spamtraps collect.
- AS26578 [ NATIONWIDEASN2 - Nationwide Services, Inc ] which is responsible for routing the addresses in question has not had a routing hijack during our period of analysis.
Furthermore, based on observations, had one of these blocks been hijacked the block would have had to be hijacked for a continuous period of several months. Such a routing hijack would have also been noticed as it would have effected outbound corporate e-mail delivery.
From the points above we conclude that the Nationwide Insurance network blocks were not hijacked in any way; and that several machines internal to their network have been compromised to send SPAM to the greater population of Internet users. Not every Fortune 500 company we analyze are in as bad of shape as Nationwide Insurance. For example, we haven't received a single SPAM from Geiko Insurance during the same period. Next week we will let you know if Nationwide has brought their systems under control and if they have mitigated their problems. We're of course ready to share information with Nationwide to help track the problem down and get it stopped.
OrgName: Nationwide Mutual Insurance Company
OrgID: NMI-20
Address: One Nationwide Plaza
City: Columbus
StateProv: OH
PostalCode: 43215
Country: US
NetRange: 155.188.0.0 - 155.188.255.255
CIDR: 155.188.0.0/16
NetName: NATE
NetHandle: NET-155-188-0-0-1
Parent: NET-155-0-0-0-0
NetType: Direct Assignment
NameServer: NNS1.NATIONWIDE.COM
NameServer: NNS2.NATIONWIDE.COM
Comment:
RegDate: 1991-11-21
Updated: 2006-08-03
OrgTechHandle: CLW-ARIN
OrgTechName: West, Cher L.
OrgTechPhone: +1-614-249-8631
OrgTechEmail: westc1@nationwide.com
------- ASN Deligation ------
OrgName: Nationwide Services, Inc
OrgID: NATION-354
Address: ONE NATIONWIDE PLAZA
Address: M.S. 1-05-31
City: COLUMBUS
StateProv: OH
PostalCode: 43215
Country: US
ASNumber: 26578
ASName: NATIONWIDEASN2
ASHandle: AS26578
Comment:
RegDate: 2002-10-21
Updated: 2002-10-21
RTechHandle: CLW-ARIN
RTechName: West, Cher L.
RTechPhone: +1-614-249-8631
RTechEmail: westc1@nationwide.com
Spread the word:
 Bookmark it!
 Digg it!
 Related
 We started our tracking project for Affiliated Computer Services on March 10th. It took about a week to catch our first spam from this company which does BPO for numerous corporate clients. On the 18th we received an offer soliciting Russian Lovers from 63.87.170.71 better known as pat.acs-inc.com. This single machine sent us 96 additional spams over the next few weeks. The flow began as image spam touting various pharmaceuticals and masculine enlargement techniques. Eventually the content changed to Hooudia diet supplements and OEM Software. It wasn't until the 23rd of March that 63.87.170.71 really started to spew however. This address then delivered us another 174 spam on similar topics plus a stock pump-n-dump pushing CWDT.OB (yahoo charts)The interesting thing is that during the time the Affiliated Computer Services computers were filling your and my inboxes with stock spam, the stock for CWDT did actually swing back and forth. There has been a fair amount of research into stock touting and its apparent effectiveness. Meaning that the spam emitting from Affiliated Computer Services might have played a role in some investor loosing their shirt purchasing CWTD. For more information on stock spam touting see Spam Works: Evidence from Stock Touts and Corresponding Market Activity.These two ip addresses continued to spew until the 16th of April. All in all we received almost 300 SPAM/UCE from ACS. Between the Stock spam or the genital enlargement it's hard to say which is most bothersome.
Spread the word:
Bookmark it!
Digg it!
Related
 Borders seems to do a fairly good job with their containment; unfortunately today we bring you an analysis of a Pharmaceutical spam run launched from Borders servers between March 29 and April 3rd that used resources from six different countries. As the story goes, on March 29th we began receiving botspam messages from 198.179.227.25 on the Borders network sending us off to buy Viagra at domains created March 23rd and registered to: Icek Pankovich Sos. Mihai Bravu,No. 5 Bl. 4, Entr. 4, Apt. 9 Bucuresti, Sector 2 76101 Romania +040.0212516407 +040.0212516407 icek_pankovich@yahoo.com The domains are serviced by Name Servers hosted in Iran, Chile, and Argentina, and registered to owners in China and Texas. All three Name Server domains were registered in February or March of '07, with a 1 year expiration - quite cheaply disposable. Name Server: ns1.nopadvene.com Name Server: ns2.razovinag.com Name Server: ns1.thefeminine.net The websites themselves were ultimately hosted by China Telecom, somewhere in Shandong Province. Address: 222.173.251.30 So as you can see, this single SPAM run makes a six country tour in its setup and makes a nice little case study in how crooks create jurisdictional nightmares to cover their tracks. Odds of successful prosecution anyone? Strangely, on the Borders side there are also wiggles that make the diagnosis less than straightforward. The reverse DNS for the ip address sending all this SPAM points to bordersgroupinc.com, however, the forward A Record for bordersgroupinc.com points to 152.160.1.28 which is routed by AS4595 (ICNET). It's odd that the machine at 198.179.227.25 has a reverse entry pointing to bordersgroupinc.com. Could this be the outbound facing NAT? Well, the box in question (if it was a box) forged headers from Yahoo, Google, Gmail and others - noticeably lacking any DomainKeys headers that indicate legitimate mail from Yahoo! As for the legitimate Borders mail, it comes from 198.179.227.40 - outboundsmtp.bordersgroupinc.com. And all the mail from this server has Received headers from internal RFC1918 space with reverse DNS pointing to an internal zone claiming to be corpex01.bgpcorp.net which doesn't jive with the global DNS, but seems more or less legit. All of which just shows some of the oddities encountered when tracking these types of incidents down. This kind of compromise happens every day to large and small companies, with the odds of successful prosecution of the criminals involved nearly zero. On the positive side, we're happy to report that Borders was able to mitigate the infection within a week, which is fast compared to some companies that have had infections for months. Stay tuned, we'll be highlighting some of those shortly. We'll also review some of the companies we've analyzed over the past few weeks to see if any have cleaned themselves up or continue to pollute our mail boxes.
X-SENDER-IP: 198.179.227.25
X-HELO: bordersgroupinc.com
X-UUID: 9d9baf6b-f6aa-4261-9d50-598887d541ff
X-ECP: BordersGroup
Return-Path: <sociologistsoot's@partyallnight.net>
Received: from 66.196.126.37 (HELO mx5.biz.mail.yahoo.com)
by locaos.com with esmtp (20Q,WW067.4I )HQ8)
id 5.0GBD-IAQ'IF-,2
for rry563@locaos.com; Thu, 29 Mar 2007 13:56:55 +0400
From: "Denis Denton"
To:
Subject: Fwd: Pharmacy bulletin
Date: Thu, 29 Mar 2007 13:56:55 +0400
Message-ID: <01c7720a$1c87cdd0$6c822ecf@sociologistsoot's>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C771E8.95762DD0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: Aca6QO.5147K'S79Y8@PLZ,WW?9U5R==
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C771E8.95762DD0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Dear valued member!
More and more people are getting concerned with the problem of fake drugs
sold on the Web. This letter is aimed at helping you choose a really reliable Internet drugstore.
It�s not a secret that many Web pharmacies are trying to make profits by
selling fake drugs that not only prove to be totally useless but also can
cause serious health problems. USDrugs is one of very few Internet
drugstores that always offer only 100% generic meds.
Hope that you will find the information provided useful.Please click here
for more information.
With Best Regards, Denis Denton
USDrugs B.V.
URLS REMOVED
Whois for the IP address that sent us the lovely request to look for new meddications
OrgName: Borders, Inc.
OrgID: BORDER-4
Address: 54 S. State Road
City: Ann Arbor
StateProv: MI
PostalCode: 48109
Country: US
NetRange: 198.179.225.0 - 198.179.228.255
CIDR: 198.179.225.0/24, 198.179.226.0/23, 198.179.228.0/24
NetName: NETBLK-BORDERS
NetHandle: NET-198-179-225-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.WCOM.NET
NameServer: NS3.WCOM.NET
NameServer: NS2.WCOM.NET
Comment:
RegDate: 1993-11-04
Updated: 2001-10-01
Spread the word:
Bookmark it!
Digg it!
Related
 In our effort to bring attention to the facts that many corporations unknowingly send SPAM we bring you an analysis of Clear Channel. Every day we receive many legitimate emails from Clear Channel touting radio and TV stations with titles like Newsradio 850, KOA Traffic Alert or Free Money - Free Trips as well as loads of concert updates for every major metropolitan area of the United States. Back in March, we started getting titles like Best Prices on Medication mixed in with our KOA Traffic Alerts. We first noticed image based Pharmaceutical spam from 207.230.140.240 on 03/12/2007 advocating Viagra and HGH. Similar spam arrived from another Clear Channel address, 62.190.150.183, this time from Europe. These compromised machines appear to have been cleaned up as we haven't see anything from them for nearly 2 weeks. On March 29 th however, we noticed 62.190.150.183 pumping Pharma spam with 207.230.140.240 joining in just a few minutes later. This particular infection ran much longer. These two addresses were responsible for delivering some 212 spam email to our traps. Then around April 4 th we received Mortgage spam notifying us of our load acceptance for $396,000 - we just need to click here.On April 10 th, 207.230.140.240 stared sending us OEM spam pushing Adobe and Microsoft products. In summary it looks as though Clear Channel has a continuing problem with infected computers pumping SPAM advocating Illegal Pharmacies, Unlicensed Software, and Identity Theft. It's not that Clear Channel is different from Intel, Best Buy, or Bank of America. All these companies have had botnet activity on their networks in the last 30 days. The point is that a great many companies have been hit by these problems. The differentiator is whether a company cares, what they do about the problem, and how fast they clean it up. Nobody expects security to be flawless - but our internet shouldn't be Unsafe at Any Speed, and especially not from organizations that have the resources available to address the problems - Once Awareness of the Problem Exists - hence our blog and DOA list. FYI, Clear Channel delivered over 2,000 emails to our traps in under 45 days - only 10% of which was botnet SPAM. But it's that 10% that's making our internet an unsafe place to be. The question is - what are you going to do about it? OrgName: Clear Channel Communications
OrgID: CCC-111
Address: Clear Channel Worldwide
Address: 20880 Stone Oak Parkway
City: San Antonio
StateProv: TX
PostalCode: 78258
Country: US
NetRange: 207.230.128.0 - 207.230.159.255
CIDR: 207.230.128.0/19
Spread the word:
Bookmark it!
Digg it!
Related
Bank of AmericaWe had to wait for this one to settle down a bit before we brought it out in the open. We track many of the major Banks in the USA. Today we review a week of SPAM from Bank Of America. We have observed many months of good behavior from BofA but starting on April 2, 2007 a lone system named system6.bofasecurities.com [63.80.4.6] got infected with something nasty. The situation lasted until the evening of April 6th. During this time we collected 226 SPAM. Support Intelligence wasn't the only place that noticed this box spew, System6 was blacklisted by CBL, TQM 3, and UCEProtect. We also note that this same system has been blacklisted by SpamHaus before on 2006-12-31 and 2007-03-30. None of the Spam we collect from System6 had any Received headers so we believe all the mail to have originated from hosts outside of Bank of America, probably via socks proxy - so lets be clear that this appears to be a casual penetration of [our attorney has encouraged us to leave this space blank]On April 9th a new system popped up, host-63-117-180-6.eprimebroker.com [63.117.180.6] which is routed by AS 19438 ( PRIME-BROKERAGE - Bank of America ). This host primarly unloaded OEM software spam. It appears that the folks at ePrimeBroker are on top of it as this host only got 4 spam into our traps before being shut down. The 4 spam from ePrimeBroker all arrived within 90 minutes of each other, and we have not detected a new spam since April 9th . During its prime it was blacklisted by CBL and SpamHaus, while SenderBase showed a 316% increase in its SMTP traffic. With 9 weeks of analysis that shows no indication of bots I'd say BofA did a great job up until our 10th week of observation when they had a two separate infestations. The good news is at least on was noticed and shut down quickly. Bank of America will get infected again and we'll bring you a timely report of it.
Spread the word:
Bookmark it!
Digg it!
Related
 at 4:07pm PDT today we received yet another spam from Conseco, specifically the webserver at 205.144.127.10 which has sent our traps some 296 SPAM in the last 30 days. Today it was Viagra links, yesterday HGH and OEM software, the day before -- image spam. The week of March 12th brought us some Tranny pornography with titles like Beusty Wkoman Srucks BIGFCOCK & Taitty Fjuck In Piool and Cjlassy Tdanned SHYEMALE Balowjob & Djoggystyle Feuck. Several of the lovely notes from the server at 205.144.127.10 had Received: headers. The following machines apparently proxied 6 of the 296 transactions through it. - Received: from 65.112.18.68 (HELO mrclean.mnimaging.com)
- Received: from 208.180.123.23 (HELO mail.ftwoods.com)
- Received: from 62.249.192.203 (HELO mx1.freeola.net)
- Received: from 212.14.64.180 (HELO mail.ijb.de)
- Received: from 217.12.160.3 (HELO smtp.yepa.com)
- Received: from 64.71.166.217 (HELO sesmail-com-bk.mr.outblaze.com)
The forward and reverse for these hosts do seem to match up, and none are listed on any DNS RBL that we know of. The only oddity is that the FQDN matches the forward ip address and some reverses don't match the FQDN but are close enough. This isn't how SMTP servers work though. With Nmap reporting all the ports on 205.144.127.10 as closed, I'm confused how other servers could proxy any of the SPAM through 205.144.127.10. therefore I'm going to call the headers in the 6 aparently proxied transactions as forged. My best guess is that the host is a decommissioned web server for conseco.com as the reverse DNS points to conseco.com however the forward DNS for conseco.com as an A record of 205.144.125.110. Since these are different and 205.144.125.110 has the reverse for 10 or so other names I can imagine a transition that just left the old conseco.com. web server out dangling. This server has been infected for over a month and sits on the same /24 that all of the other main company resources reside on. We will come back and review this one again in a week or so and see of anyone has cleaned it up.
Spread the word:
Bookmark it!
Digg it!
Related
 We started watching Toshiba's network on Feb 23 2007. Since that very day one host has shone above the others, spewing every variety of spam. The host [12.145.34.103] has activity sent spam dating back as far as July 17th 2006. It has been listed on CBL, SpamHaus, TQMcube, UCEProtect, and WPBL. All in all it was listed some 105 times for sending SPAM/UCE in the last 9 months. Every spam we captured from the host used a different HELO in the SMTP transaction to deliver mail to our traps. There were no Received headers Of the 716 spam we have received from this one host, we collected stock touts for WSDC.PK (up big!) and CDYV.PK up a hefty 25% today, CCTI.PK (ouch, down almost 100% from its high) and SPSY.PK. There were also Rolex Watch and other Trademark/Brand SPAM. I don't buy the nmap analysis below but I thought it interesting enough to include. This device is determined by nmap to be a Cisco load balancer. We are constantly surprised.
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-17 20:51 PDT
Interesting ports on 12.145.34.103:
Not shown: 1681 closed ports
PORT STATE SERVICE
178/tcp filtered nextstep
605/tcp filtered unknown
654/tcp filtered unknown
1076/tcp filtered sns_credit
5050/tcp filtered mmcc
5101/tcp filtered admdog
5190/tcp filtered aol
5192/tcp filtered aol-2
5193/tcp filtered aol-3
5510/tcp filtered secureidprop
5520/tcp filtered sdlog
5530/tcp filtered sdserv
5540/tcp filtered sdreport
5550/tcp filtered sdadmind
5555/tcp filtered freeciv
5560/tcp filtered isqlplus
Device type: load balancer
Running: Cisco embedded
OS details: Cisco CSS 11501 Content Services Switch
Spread the word:
Bookmark it!
Digg it!
Related
We've been collecting spam from a corporate email gateway (205.142.53.51) over at Business Week which is owned by McGrawHill which is responsible for announcing the 205.142.50.0/22 block from AS 4546. This particular computer is one of Business Week's outbound mail gateways better known as mail03-1.mcgraw-hill.com. Its been showering our traps with titles like Become a better lover and Enjoy complete and total confidence every time. This server isn't botted it's just an IronPort[aren't they owned by cisco now] box that's forwarding SPAM, but where is the spam coming from? Upon deeper inspection a received header indicates that this mail server received the message from a host (bw-www2-hts.mcgraw-hill.com) with an RFC1918 address [172.16.40.20] This all sounds very complicated. It gets worse, the are other compromised web servers in other business units all leveraging the same technique of using a compromised system to send out spam through outbound corporate MX servers, in this case a IronPort anti-spam system. One of the other systems that caught our eye is [corona.eppg.com] which sprouted titles like Obesity is the number one cause of premature death in Americans This box used the same technique exiting its spam through another outbound mail server at 198.45.24.235. This host's block were registered to "Macmillan/McGraw-Hill School Publishing Company" which does K-6 Schoolbooks. That's friggn kinder garden through 6th grade books, do you think they interact with kids over their website... yep, the kiddies log in at http://glencoe.passkeylearning.com/LoginControllerThese computers have been spewing spam for some time now, I'm interested to know if they also have key loggers operating on them. Well, I doubt we will hear from their systems administrator, we wrote this post because we couldn't figure out how to report instances like this. Hey, Mr. Business Week, you got 0wned! A set E-Mail Headers from the ~100 messages we analyzed
X-SENDER-IP: 205.142.53.65
X-ENVELOPE: EHLO mail04-1.mcgraw-hill.com
MAIL FROM:
RCPT TO:
X-HELO: mail04-1.mcgraw-hill.com
X-UUID: 7ce71508-07ab-4427-bafd-cdd5fa56d7fa
X-ECP: McGrawHill
Received: from unknown (HELO bw-www2-hts.mcgraw-hill.com) ([172.16.40.20])
by mail04-1.mcgraw-hill.com with ESMTP; 07 Apr 2007 09:56:20 -0400
X-IronPort-AV: i="4.14,384,1170651600";
d="scan'208"; a="13150503:sNHT79478476"
Received: (from busweek@localhost)
by bw-www2-hts.mcgraw-hill.com (8.11.7p1+Sun/8.11.7) id l37Dtc705382;
Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Date: Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Message-Id: <200704071355.l37dtc705382@bw-www2-hts.mcgraw-hill.com>
To: bwwebmaster@businessweek.com
From: planet8094@businessweek.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
Subject: An all natural solution that studies prove works wonders
Another message's headers for the PASSKEYLEARNING.COM site
X-SENDER-IP: 198.45.24.235
X-ENVELOPE: EHLO corona.eppg.com
MAIL FROM:
RCPT TO:
X-HELO: corona.eppg.com
X-UUID: 5aa1d38b-fb32-4ac6-8aac-8ad1845c09eb
X-ECP: McGrawHill
Received: (from passkeylearning.com@localhost)
by corona.eppg.com (8.11.7p3+Sun/8.10.2) id l2BDxSl23545;
Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
Date: Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
From: passkeylearning.com@corona.eppg.com
Message-Id: <200703111359.l2bdxsl23545@corona.eppg.com>
To:
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
Subject: Obesity is the number one cause of premature death in Americans
The ARIN IP Address Deligation for the ip addresses mentioned above. OrgName: Businessweek Corporation
OrgID: BUSINE
Address: 1221 Avenue of the Americas
City: New York
StateProv: NY
PostalCode: 10020
Country: US
NetRange: 205.142.52.0 - 205.142.55.255
CIDR: 205.142.52.0/22
NetName: BUSINESSWEEK
NetHandle: NET-205-142-52-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Assignment
NameServer: CORP
Spread the word:
Bookmark it!
Digg it!
Related
 Aflac's Email Dysfunction  Today we look into why Aflac, Inc (AFL) an Insurance company with millions of consumer records at risk can't keep from sending out a MegaTon of Pharm SPAM. According to Sender base 209.37.4.38 has increased its outbound e-mail by 757% in the last 24 hours. Apparently SpamCop noticed too. I guess it is hard to keep bots off your network with over 7,700 employees and a Market Cap of over 23 Billion. Maybe Mr Amos with his 6M in salary can do something to protect all those innocent customer records being sniffed. We will tune in next week to see if anything has changed.
Spread the word:
Bookmark it!
Digg it!
Related
We analized over 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting virous. Below are the top 100 networks and the volume of incidents in the last 7 days. We posted the complete list of networks with more than 28 incidents in the last 7 days to the DOA report list which you can sign up at http://www.support-intelligence.com/doa/
+-------+------------------------------------------+--------+
| asn | trim(left(org_name,40)) | volume |
+-------+------------------------------------------+--------+
| 4134 | No.31,Jin-rong Street - Beijing - 100032 | 80279 |
| 5617 | Polish Telecom's commercial IP network | 63652 |
| 3320 | Deutsche Telekom AG | 37871 |
| 9121 | Turk Telekom A.S. | 34459 |
| 19262 | Verizon Global Networks | 27315 |
| 7738 | Telecomunicacoes da Bahia S.A. | 26695 |
| 27699 | TELECOMUNICACOES DE SAO PAULO S/A - TELE | 21487 |
| 3462 | Data Communication Business Group - Chun | 19756 |
| 4766 | Korea Internet Exchange - | 15632 |
| 8151 | Uninet S.A. de C.V. | 15376 |
| 9498 | BHARTI BT INTERNET LTD. - BHARTI BRITISH | 14749 |
| 3215 | France Telecom Transpac Domestic IP Back | 14216 |
| 3209 | Arcor AG & Co. | 13672 |
| 4788 | TMnet, Telekom Malaysia - AS list of TMn | 11714 |
| 3269 | TELECOM ITALIA - INTERBUSINESS NET | 11470 |
| 3352 | Internet Access Network of TDE - Spanish | 9751 |
| 9318 | HANARO Telecom | 8438 |
| 5483 | Hungarian Telecom - Public Internet Acce | 8206 |
| 6147 | Telefonica del Peru S.A.A. | 8070 |
| 8359 | MTU-Intel Moscow region network | 7992 |
| 6713 | Itissalat Al-MAGHRIB - MAROC TELECOM | 7840 |
| 1267 | Infostrada S.p.A. - IUnet S.p.A. | 7290 |
| 7470 | ASIA INFONET Co.,Ltd. - Internet Service | 7152 |
| 2856 | BTnet UK Regional network | 7065 |
| 4814 | IP networkChina169 Beijing Broadband N | 6755 |
| 4755 | Videsh Sanchar Nigam Ltd. Autonomous Sys | 6218 |
| 17813 | Mahanagar Telephone Nigam Ltd. - ISP Div | 6191 |
| 4713 | NTT Communications Corporation | 5470 |
| 13184 | HanseNet Telekommunikation GmbH - Hambur | 5453 |
| 15557 | LDCOM NETWORKS pan european service Prov | 5192 |
| 7418 | Terra Networks Chile S.A. | 5057 |
| 209 | Qwest | 5041 |
| 5430 | freenet City LINE GmbH - Willstaetterstr | 4743 |
| 1680 | NetVision Ltd. - NetVision Ltd. | 4525 |
| 6849 | JSC UKRTELECOM | 4460 |
| 20115 | Charter Communications | 4412 |
| 22047 | VTR BANDA ANCHA S.A. | 4361 |
| 5486 | Euronet Digital Communications - (1992) | 4106 |
| 11427 | Road Runner | 4075 |
| 7132 | SBC Internet Services - Southwest | 3851 |
| 3243 | Telepac - Comunicacoes Interactivas, SA | 3689 |
| 9583 | Satyam Infoway Ltd., Private ISP in Indi | 3586 |
| 8764 | LIETUVOS-TELEKOMAS Autonomous System - V | 3549 |
| 3257 | Tiscali International Network B.V. | 3541 |
| 5462 | Telewest Broadband - UK Broadband ISP | 3467 |
| 9304 | Hutchison Telecom (HK) - Mobile, pager, | 3280 |
| 17858 | KRNIC - Korea Network Information Center | 3236 |
| 6739 | Cableuropa - ONO - C./ Basauri, 5 - Urba | 3222 |
| 5089 | NTL Group Limited - Hook, Hampshire - Un | 3190 |
| 18101 | Reliance Infocom Ltd Internet Data Centr | 3163 |
| 10036 | C&M Communication Co. Ltd. | 3140 |
| 4230 | Embratel | 3110 |
| 20001 | Road Runner | 3056 |
| 7552 | Vietel Corporation - Internet Exchange a | 2987 |
| 17974 | PT TELEKOMUNIKASI INDONESIA - JL JAPATI | 2934 |
| 6805 | Telefonica Deutschland Autonomous System | 2840 |
| 8881 | KomTel routing policies | 2826 |
| 5391 | HT, HiNet, Croatian telecom | 2683 |
| 16338 | AUNA Autonomous System - AUNA Group. - P | 2632 |
| 18403 | The Corporation for Financing & Promotin | 2632 |
| 24863 | LINKdotNET AS number - for any abuse com | 2564 |
| 15311 | Telefonica Empresas | 2524 |
| 12271 | Road Runner | 2522 |
| 6327 | Shaw Communications Inc. | 2511 |
| 33287 | Comcast Cable Communications, Inc. | 2460 |
| 9689 | Future's Cable Television, Inc. - 463-57 | 2444 |
| 13285 | Opal Telecom - Northbank Industrial Esta | 2444 |
| 17839 | Dreamcity Media - 423-6 Songnae-dong Sos | 2433 |
| 7029 | Alltel Information Services, Inc. | 2423 |
| 5610 | CZECH TELECOM, a.s - Olsanska 6 - Prague | 2395 |
| 19429 | ETB - Colombia | 2390 |
| 7015 | Comcast Cable Communications Holdings, I | 2277 |
| 12479 | Uni2 Autonomous System - Spain | 2242 |
| 11351 | Road Runner | 2196 |
| 5384 | Emirates Internet - Public Internet Serv | 2182 |
| 11426 | Road Runner | 2158 |
| 12542 | TVCABO Autonomous System - Portugal | 2136 |
| 1221 | Telstra Pty Ltd - Locked Bag No. 5744 - | 2082 |
| 12741 | Netia Telekom SA | 2049 |
| 6057 | Administracion Nacional de Telecomunicac | 1969 |
| 4775 | Telecom Carrier | 1943 |
| 9506 | Magix Broadband Network - Singapore Tele | 1848 |
| 33651 | Comcast Cable Communications, Inc. | 1846 |
| 10796 | Road Runner | 1825 |
| 5603 | SiOL Internet d.o.o. - Internet Service | 1799 |
| 36727 | INSIGHT COMMUNICATIONS COMPANY, L.P. | 1781 |
| 5713 | Telkom SA Ltd. | 1751 |
| 20214 | Comcast Cable Communications Holdings, I | 1745 |
| 4808 | IP networkChina169 Beijing Province Ne | 1726 |
| 9141 | UPC Poland | 1714 |
| 9050 | RTD-ROMTELECOM Autonomous System Number | 1689 |
| 5668 | CenturyTel Internet Holdings, Inc. | 1669 |
| 33491 | Comcast Cable Communications, Inc. | 1663 |
| 6478 | AT&T WorldNet Services | 1638 |
| 1257 | SWIPnet - Swedish IP Network | 1635 |
| 17864 | Hanvit I&B - 519-1, Gojan-Dong, Ansan-Ci | 1609 |
| 7693 | KSC Commercial Internet Co. Ltd. - 2/4 S | 1601 |
| 22291 | Charter Communications | 1593 |
| 3816 | Empresa Nacional de Telecomunicaciones | 1576 |
| 10091 | SCV Broadband Access Provider | 1429 |
+-------+------------------------------------------+--------+
Spread the word:
Bookmark it!
Digg it!
Related
American International Group pulls in $113 billion in revenue per year, with $77 billion in cash on hand. They also have bots running on their network. AIG wrote us to let us know that Britney Spears loves Rolex Watches! Apparently. Or maybe just replicas. In either case, AIG sent us over 275 Rolex come-ons in the last month. They're also apparently interested in our sex life, as they've asked us to visit this website: http://womqat.hsuj.hk  The repeated requests have arrived from breeze.agfg.com and hail.agfg.com at 161.159.4.82 and 161.159.4.81 respectively. The site offers what are apparently black market pharmaceuticals from a company with no phone number, false whois information, and a domain registered on February 18th - less than a month before receiving the advertisement. The products offered on the site use the trademarks of Pfizer, Eli Lilly, Bayer, GlaxoSmithKline, you name it. The company also has 15 public black listings since December 2206, on 3 separate public lists, from 11 separate IP addresses. We encourage AIG to take a close look at breeze and hail listed above.
Spread the word:
Bookmark it!
Digg it!
Related
Thomson Financial Corporation - number two in our profile of companies with bots running on their networks. April 1st, we noted 198.80.153.10 ( 153-10.tfn.com) connecting to a command and control server via IRC. Unfortunately this is no April Fool's joke. Nor is the Botspam they've been sending us over the last month, such as this pump and dump sent from 198.80.128.88 on 3-15-2007:  We'd also recommend checking out 198.80.189.10 which sent us over 25 pieces of botspam in March most of which touted different over the counter stocks.
Spread the word:
Bookmark it!
Digg it!
Related
 Brian Krebs of The Washington Post wrote an insightful piece on Fortune 500 companies, the bots on their networks, and the spam coming from their networks. The article, appeared in Brian's Security Fix blog and called out ExxonMobile, American Electric Power, Indymac Bank, Dow Jones and a handful of others with recent problems on their networks. Which is no bit deal if you don't drive a car, light your home, carry a mortgage, or read the news. Then again, doesn't the security of our power plants, oil tankers, banks, and news organizations affect every one of us?
Spread the word:
Bookmark it!
Digg it!
Related
 Dan Goodin of The Register wrote an excellent article on bots operating on corporate networks. The article entitled Bots inside the Perimeter features data collected from the Support Intelligence network and highlights distinct cases of bot spam flowing out of Oracle, HP, Best Buy, and others. In the case of Oracle, the botspam was actually a phishing attack on Paypal. And with Best Buy the amount of spam pouring out its scuppers was in the thousands per week. Houston, we have a problem.
Spread the word:
Bookmark it!
Digg it!
Related
|
