Spamhaus project

The World’s Worst Spammers

Link: (originele tekst van spamhaus.org)

Up to 80% of spam targeted at internet users around the world is generated by a hard-core group of around 100 known persistent spam gangs whose names, aliases and operations are documented in Spamhaus’ Register Of Known Spam Operations (ROKSO) database.

This TOP 10 chart of ROKSO-listed spammers is based on Spamhaus views of the highest threat, least repentant, most persistent, and generally the worst of the career spammers causing the most damage on the internet currently:

A long time running pharmacy spam operation. They send tens of millions of spams per day using botnet techniques. Probably based in Eastern Europe, Ukraine/Russia. Host spammed web sites on botnets and on bulletproof Chinese & Russian web hosting.

This operation uses dozens of “hosting” companies as fronts to lease IP addresses which are then used to send spam. Based in Chicago, Illinois and Tangier, Morocco.

Snowshoe spam organization that uses large numbers of inexpensive, automated VPS hosting IP addresses and domains in whatever TLD is currently cheapest to send high volumes of spam to extremely dirty, scraped lists. Operates under many business and individual names. Owner or manager of these companies seems to be Michael Boehm and Associates.

Florida affiliate spammers and bulletproof spam hosters

Web development, application development, and business training company that spams email appended lists, usually through ESPs that offer automated provisioning and services directed at small businesses.

Bulletproof spam host operating Cyber World Internet Services / e-Insites, and currently spamming using a variety of aliases such as Brand 4 Marketing, Ad Media Plus, Site Traffic Network, RCM Delivery, and eBox. The company is owned or managed by Alvin Slocombe.

Chinese organization sending spam in english, usually advertising chinese companies, to harvested addresses throughout the world. Also, they send spam in chinese to acquire new customers.

  • RR Media – United States of America

A high volume spam operation based in or run from Huntington Beach, CA, USA. The operation uses a variety of different names.

Uses botnets or hires botnet spammers to send spam linking back to suspect investment, “quack-health-cures” and other sites that he owns or is an affiliate of. Botnet spamming and hosting sites on hacked servers is fully criminal in much of the world. Managed or owned by a Timo Richert.

High volume snowshoe spam operation based in Florida. The manager or owner of the company seems to be a Yair Shalev / . (Former?) partner-in-spam of ROKSO spammer Darrin Wohl. Son-in-law of ROKSO-listed spammer Dan Abramovich. Sued for fraud by the US FTC in 2014.

Spam is a global problem yet some countries do little to deter spammers from operating within their borders. These countries tend to have either weak or non-existent anti-spam laws. They become safe havens for spam operations and undermine global efforts to stop spam; even to the detriment of their own nation, networks and citizens.

Some ISPs within these countries are reluctant or outright refuse to take action without such a basis in law, even though most ISPs use “Acceptable Use Policy” (AUP) agreements which are enforced on a contractual basis. It seems that only when the world at large recognizes the poor reputation of these countries is any form of action taken.

This chart shows the number of SBL listings per country including spam sources as well as hosting of spam services – websites, DNS, etc.

The World’s Worst Spam Support ISPs

Spam continues to plague the internet because a small number of Internet Service Providers knowingly sell service to professional spammers for profit, or do not enough or nothing to prevent spammers operating from their networks.

The World’s Worst Botnet Countries

Countries in this chart have the highest number of detected spam-bots as listed in the Spamhaus XBL zone. Most bots can be used for spam, phishing, click-fraud, DDoS and other malicious activities.

Many issues may relate to a country’s bot density including technical, policy and socioeconomic factors.

Additional and more detailed statistics can be found at the Spamhaus CBL website:

CBL breakdown by Country
CBL breakdown by Country Traffic
CBL breakdown by Country Infections
CBL breakdown by Country Per Capita

The World’s Worst Botnet ISPs

ISPs in this chart have the highest number of detected spam-bots as listed in the Spamhaus XBL zone. Most bots can be used for spam, phishing, click-fraud, DDoS and other malicious activities.

Many issues may relate to a country’s bot density including technical, policy and socioeconomic factors.

Additional and more detailed statistics can be found at the Spamhaus CBL website:

CBL breakdown by Domain
CBL breakdown by Domain Traffic
CBL breakdown by Domain Infections

The World’s Worst Botnet ASNs

Autonomous System Numbers (ASNs) in this chart have the highest number of detected spam-bots as listed in the Spamhaus XBL zone, sorted by ASN. See one of the below links for a definition of ASN. Most bots can be used for spam, phishing, click-fraud, DDoS and other malicious activities.

Many issues may relate to a country’s bot density including technical, policy and socioeconomic factors.

Additional and more detailed statistics can be found at the Spamhaus CBL website:

CBL breakdown by ASN
CBL breakdown by ASN Traffic
CBL breakdown by ASN Infections

The World’s Most Abused TLDs

Top Level Domain (TLD) registries which allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet. Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains.

A TLD may be “bad” in two ways. On one side, the ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. However, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.

The other side is that some large TLDs may have a large number of bad domains as a result of the sheer size of their domain corpus. Even if their corrective measures are effective, they still constitute a problem on the global scale, and they could assign further resources to improve their anti-abuse processes and bring down the overall number of bad domains.

In defining a “badness” index, we decided to weight in both these factors. With a certain amount of arbitrariness—and at the same time a desire to avoid excessive complications—we defined badness as:

 

 

 

where

  • Db is the number of bad domains detected
  • Dt is the number of active domains observed

You can think of this number as the bad domains fraction weighted with the TLD’s size, or as the order of magnitude of the problem weighted with the effectiveness of anti-abuse policies. Presented this way, this data more closely matches the perceptions Spamhaus staff has in dealing with this issue in a daily production basis. We hope that this definition helps to spotlight registries that in one way or another can be considered problematic, in a fair way.

These data represent domains seen by Spamhaus systems, and not a TLD’s total domain corpus. Domains in this data are in active use, showing up in mail feeds and related DNS traffic within the last 30 days. Other domains may be parked or used for traffic outside of our systems’ focus, and those domains are not included in this summary.

The registries listed on this page provide spammers and other miscreants with a service they need in order to survive. Many, even most, TLDs succeed, by and large, in keeping abusers off their systems and work to maintain a positive reputation. That success shows that these ten worst could, if they tried, “keep clean” by turning spammers and other abusers away.

The World’s Most Abused Domain Registrars

Among the reasons spam, malware and other threats continue to plague the internet is that abusers find it easy to obtain an endless supply of domain names. Some gTLD and ccTLD resellers (called registrars) sell large volumes of domains to professional spammers and other miscreants for profit. Some registrars have been directly owned and operated by abusers, while others simply do not do enough to stop or limit bad guys’ access to an unlimited supply of domains. Abusers destroy the reputation of those domains (and along with them, possibly the reputation of registrars and registries) and just move on to new ones in a vicious cycle.

A registrar may be “bad” in two ways. On one side, the ratio of bad to good domains may be higher than average, indicating that the registrar could do a better job of enforcing policies and shunning abusers. However, some registrars with a high fraction of bad domains may be quite small businesses, and their total number of bad domains could be relatively limited with respect to other registrars. Their total “badness” to the Internet is limited by their small total size.

The other side is that some large registrars may have a large number of bad domains as a result of the sheer size of their domain corpus. Even if their corrective measures are effective, they still constitute a problem on the global scale, and they could assign further resources to improve their anti-abuse processes and bring down the overall number of bad domains.

In defining a “badness” index, we decided to weight in both these factors. With a certain amount of arbitrariness—and at the same time a desire to avoid excessive complications—we defined badness as:

 

 

 

where

  • Db is the number of bad domains detected
  • Dt is the number of active domains observed

You can think of this number as the bad domains fraction weighted with the registrar’s size, or as the order of magnitude of the problem weighted with the effectiveness of anti-abuse policies. Presented this way, this data more closely matches the perceptions Spamhaus staff has in dealing with this issue in a daily production basis. We hope that this definition helps to spotlight registrars that in one way or another can be considered problematic, in a fair way.

These data represent domains seen by Spamhaus systems, and not a registrar’s total domain corpus. Domains in this data are in active use, showing up in mail feeds and related DNS traffic within the last 30 days. Other domains may be parked or used for traffic outside of our systems’ focus, and those domains are not included in this summary.

The registrars listed on this page provide spammers and other miscreants with a service they need in order to survive. Many, even most, registrars succeed, by and large, in keeping abusers off their systems and work to maintain a positive reputation. That success shows that these ten worst could, if they tried, “keep clean” by turning spammers and other abusers away.

The Register of Known Spam Operations database is a depository of information and evidence on known persistent spam operations, assembled to assist service providers with customer vetting and the Infosec industry with Actor Attribution.

ROKSO Documents


About ROKSO
ROKSO Listing Policy
TOP 10 ROKSO Spammers

ROKSO


100 Known Spam Operations responsible for 80% of your spam.

80% of spam received by Internet users in North America and Europe can be traced via aliases, addresses, redirects, locations of servers, domains and dns setups, to around 100 known spam operations listed in the ROKSO database.

For Law Enforcement Agencies Spamhaus provides a secure ROKSO LEA portal which gives access to classified records.

Please note:

All the tekst on this page has been copied from the original sites mentioned. It is our goal to create awareness on the fact that there are sincere solutions to Spam. Also I want to express my greatfullness to all people involved in these project.