Why do the
rankings from PSBL data
not look much like the
October 2012 rankings from CBL data in
?
Apparently because PSBL does not use the heuristic that CBL uses
that catches
the few IP addresses
that are spewing hundreds of thousands or millions
of spam messages a day.
Is this lack of correspondence between the CBL and PSBL rankings a problem?
What would be the point of having multiple rankings if they always
showed the same results?
But these are very different results:
none of the CBL top 10 show up in the PSBL top 10!
How can both the PSBL and CBL rankings be correct?
- First, "correct" for such rankings does not mean completely accurate and it does not mean completely precise: no blocklist will ever detect every spam message emitted by every IP address. Suppose even mighty NSA (No Such Agency) were to copy every bit that passed over every major ISP in the U.S. Even that would miss some bits emitted by for example an ISP in Vietnam that spammed an ISP in India. And what heuristics would mighty NSA use to detect all the spam from all those bits? Would those heuristics happen to include the same one CBL is using to detect the Kelihos rampage? Would they include some further heuristic of which CBL has not yet thought that would detect some other rampage? Quite possibly yes and yes. Any rankings of anything on the Internet are always approximate records of hints and whispers of a constantly-shifting reality that can never be completely pinned down.
- Second, correct for rankings means comparable among the ASNs ranked, so that they can be ranked. In that sense, yes, both the PSBL and CBL rankings are correct: they merely show different aspects of the spam symptom of defective infosec for the ranked ASNs.
- Third, any systematically ranked symptom of poor infosec is important. Does any organization want any of its hosts to be spewing hundreds of thousands of spam messages a day, as in those ASNs in the CBL top 10? Does any organization want any of its hosts to be spewing enough spam in aggregate to turn up in the PSBL top 10? Probably not.
Internally we also keep rankings by address or host count, in addition to the public rankings by message count (spam volume). The CBL host count rankings for October show the same top 4 as for September:
-
AS 9829 BSNL-NIB
India
-
AS 9121 TTNET (Turkey)
Turkey
-
AS 7643 VNPT-AS-VN
Vietnam
-
AS 4134 CHINANET-BACKBONE
China
That's the same CHINANET-BACKBONE that appears at the top of the October 2012 PSBL volume rankings. Plus the internal PSBL host rankings show the same #1 (BSNL-NIB) and #4 (CHINANET-BACKBONE) as the internal CBL host rankings. So CBL and PSBL do actually corroborate each other, but PSBL is more sensitive to volume from CHINANET-BACKBONE and CBL is more sensitive to the Kelihos rampage.
-jsq
Comments