It has been said that universities all around the world are harboring zombie machines in droves. These are the same zombie machines responsible for sending out massive amounts of spam. In this article, we attempt to understand if the university zombie-spam problem really is as big a deal as it is made out to be.
Most universities spend large sums of money buying IDS, IPS and Spam Filter technology and their various licenses. This should, at least in theory, allow universities to cut down on the number of such zombie machines by identifying tell tale signs of malicious communication and by analyzing their network traffic.
To understand if universities are harboring zombie machines, which can be used for spam campaigns.
We have collected a list of 2070 universities. Each university’s DNS was queried to determine the IP address being used to host each website. This IP address was cross-referenced with data from Route Views to identify the AS number hosting that IP (using data from CAIDA). The AS number was then used to mine IP ranges advertised as BGP updates. Once the CIDR IP ranges were been found, the IPs in the CIDR range were checked with Spamhaus’s Zombie Blacklist. The experiment was conducted between March 12th and March 16th, 2010.
We present some interesting observations on the data analyzed.
It seems that Universities are unfairly maligned by reports of zombies in their networks. Based on the findings of this preliminary set of experiments, having not found spam-zombie machines in large numbers in residence on university sub-nets, it seems that universities are doing a pretty good job of combating spam-zombies and keeping the Internet safe.
Till next time.
The following educational institutes were associated with AS174:
188.8.131.52 http://www.morehouse.edu/ 184.108.40.206 http://www.lakeforest.edu/ 220.127.116.11 http://www.mica.edu/ 18.104.22.168 http://www.bmc.edu/ 22.214.171.124 http://www.kean.edu/ 126.96.36.199 http://www.medaille.edu/ 188.8.131.52 http://www.stvincent.edu/ 184.108.40.206 http://www.ursinus.edu/ 220.127.116.11 http://www.vfcc.edu/ 18.104.22.168 http://www.wju.edu/ 22.214.171.124 http://www.rmcad.edu/ 126.96.36.199 http://www.desu.edu/ 188.8.131.52 http://www.udc.edu/ 184.108.40.206 http://www.tcmi.org/ 220.127.116.11 http://www.holycross.edu/ 18.104.22.168 http://www.marymount.edu/