ASN – Identifying Networks for the Anti-Spammer

10Jul09

ASN stands for Autonomous System Number. AS or ASN followed by a number is used to identify an autonomous system on the internet by people who manage networks on the Internet. One well-known example of an ASN is AT&T whose is ASN7018. Most people who may be network engineers are concerned with ASNs. Also, netizens who report cybercrime should be concerned about ASNs as well so one can identify persistent rogue networks and networks that appear to emit large amounts of spam. Mail administrators are also concerned about identifying ASNs as well as sysadmins who manage webservers. The organization that assigns blocks of IPs is called the Regional Internet Registry (RIR) including ARIN, RIPE, APNIC, and others. The higher the number after the ASN, the more recent the organization was assigned the number. Most of the time, when one reports internet abuse, it goes to an abuse@network email address, as specified in the technical field on file at the RIR.

When you go online, you are assigned an IP address by your provider. Unless you are using a proxy, the IP address identifies you, where ever you visit online. If it is detected that you are up to no good, your IP may be blocked. If your provider has a lot of abuse activity, a whole range of IPs may be blocked by other providers. If you use iGoogle portal page with your GMail account, you can add a Gadget (IP Address lookup) that shows your IP address.

One can research the network of an IP address by using WHOIS on ARIN or some other online DNS Tool, such as Geek tools or Domainwhitepages. In nearly all cases, the IP’s network can be identified. There are some networks not properly assigned that are called zombied by Spamhaus. Zombies have their own ROKSO listing. This means the IPs have been hijacked by spammers or other cybercriminals who are using the IPs to abuse the Internet with spam, malware, other types of fraudulent activity.

InBoxRevenge tweets select Spamhaus blocklistings usually consisting of a /28 or larger of blocked IPs. While the majority of the SBLs on Spamhaus are /32 which means only 1 IP is blocked, a few others listed in the Latest 25 SBLs are larger blocklistings. Reference the Subnetnetwork article on the Wiki for more information about how many IPs are  represented after a slash / in either a blocklist or a BGP Prefix.

A sample posted by InBoxRevenge on Twitter recently:

AS4837 / 218.10.16.0/24 cncgroup-hl cnc-noc.net CHINA / dirty block #spammers / Spamhaus SBL http://bit.ly/AeyPK #spamblock #blocklisting 5:49 PM Jul 6th from web

This ASN is AS4837 which is known to host a lot of bullet proof hosting. The IP range that is blocked is 256 hosts (218.10.16.0/24).

At the time of this post 7/9/09, Spamhaus entry was still active:

Ref: SBL76839

218.10.16.0/24 is listed on the Spamhaus Block List (SBL)

06-Jul-2009 20:07 GMT | SR22

Dirty block

218.10.16.239/32
Live cncgroup-hl SR15
2009-06-20 17:29:41
SBL75584 Spam and Malware Hosting/DNS

218.10.16.49/32
Live cncgroup-hl SR20
2009-06-30 13:59:02
SBL75019 Counterfeit luxury goods site, casino spam nameserver

218.10.16.236/32
Live cncgroup-hl SR22
2009-07-06 19:52:21
SBL71493 Spam webhosting

218.10.16.155/32
Removed cncgroup-hl SR08
2008-03-18 16:29:49
SBL62785 ukrw0men.info (russian bride spam site)

This research tells us of ongoing network abuse from ASN4837 which is called CHINA169-BACKBONE CNCGROUP. This network is considered rogue based on the volume of abusive activity on SANS and elsewhere.

As of 7/14/09, this blocklist is still in place on Spamhaus (SBL76839).

There were a few ASNs that were difficult to research because their information at the RIR is out of date. I will post more examples of those later in an update.

Advertisements


No Responses Yet to “ASN – Identifying Networks for the Anti-Spammer”

  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: