• Are Universities Hosting Spam Zombies?

    It has been said that universities all around the world are harboring zombie machines in droves. These are the same zombie machines responsible for sending out massive amounts of spam. In this article, we attempt to understand if the university zombie-spam problem really is as big a deal as it is made out to be.

    Most universities spend large sums of money buying IDS, IPS and Spam Filter technology and their various licenses. This should, at least in theory, allow universities to cut down on the number of such zombie machines by identifying tell tale signs of malicious communication and by analyzing their network traffic.

    Experiment Goal

    To understand if universities are harboring zombie machines, which can be used for spam campaigns.

    Methodology

    We have collected a list of 2070 universities. Each university’s DNS was queried to determine the IP address being used to host each website. This IP address was cross-referenced with data from Route Views to identify the AS number hosting that IP (using data from CAIDA). The AS number was then used to mine IP ranges advertised as BGP updates. Once the CIDR IP ranges were been found, the IPs in the CIDR range were checked with Spamhaus’s Zombie Blacklist. The experiment was conducted between March 12th and March 16th, 2010.

    Our Observations

    • Number of unique universities: 2070
    • Number of Unique ASes observed: 829
    • Total number of probed: 434,083 IPs
    • Size of zombie blacklist: 2,130,944 IPs

    Highlights

    We present some interesting observations on the data analyzed.

    • Only AS174, Cogent Communications, Inc., was found to contain zombies (see list below).
    • Only 0.67% of educational institutions are associated with spam-zombie IP addresses.
    • Only 0.12% of ASes seem contain spam-zombieĀ IP addresses.

    Frequency distribution of the number of IPs tested.

    Conclusion

    It seems that Universities are unfairly maligned by reports of zombies in their networks. Based on the findings of this preliminary set of experiments, having not found spam-zombie machines in large numbers in residence on university sub-nets, it seems that universities are doing a pretty good job of combating spam-zombies and keeping the Internet safe.

    Till next time.

    The following educational institutes were associated with AS174:

    69.87.162.66     http://www.morehouse.edu/
    164.68.1.24      http://www.lakeforest.edu/
    38.105.70.154    http://www.mica.edu/
    216.177.122.173  http://www.bmc.edu/
    131.125.1.105    http://www.kean.edu/
    38.115.20.155    http://www.medaille.edu/
    38.107.150.150   http://www.stvincent.edu/
    198.17.40.106    http://www.ursinus.edu/
    38.98.251.141    http://www.vfcc.edu/
    192.188.131.10   http://www.wju.edu/
    38.109.194.106   http://www.rmcad.edu/
    216.228.143.82   http://www.desu.edu/
    38.105.74.129    http://www.udc.edu/
    216.177.122.152  http://www.tcmi.org/
    192.133.83.145   http://www.holycross.edu/
    198.100.0.33     http://www.marymount.edu/