Botnet Statistics [2010-11-16]

To reduce the number of mail I have to send, I usually collect information about zombie computers within China in a single notification to CNCERT, National Computer network Emergency Response technical Team/Coordination Center of China.  And China has done a good job on botnet reduction for the past year, which leads to its absence from various reports on spam and botnets, like the "dirty dozen" by Sophos, the top 12 countries of spam source by M86 security, and the top 10 countries sending spam by ICSA Labs.  While China is still the all time number one for the Top Spam Server Countries of Project Honey Pot, it is now at number 17 of the last 30 days.

Since November 1 this year, I started to get failure notice for my notification to CNCERT, which seems to be caused by alias expansion to a mailbox exceeding its quota.   In the mean time, China started to move back up to number 14 on the Top Spam Server Countries of the last 7 days.  I might need to find another way soon to contact them before China returns to top 10 again.

detection period: 2010-11-16 00:00-23:59 UTC
total number of suspected botnet IPs: 3376
number of botnet IPs notified to network operators: 2993
number of blocked spams: 363063
recipient count of blocked spams: 12123150

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

Rank	Network	# of suspected botnet IPs
1	HINET-NET	1351
2	BSNLNET	405
3	AR-TEAR7-LACNIC	63
4	RCOM	59
5	CAT-BB-NET	43
6	TATACOMM-IN	40
7	002.558.134/0001-58	37
8	TRUENET	33
9	TRUEBB-NET	33
10	HATHWAY-NET	32

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

Rank	Country	# of suspected botnet IPs
1	Taiwan	1361
2	India	590
3	China	295
4	Brazil	240
5	Russian Federation	146
6	Thailand	142
7	Argentina	118
8	Ukraine	53
9	United States	34
10	South Korea	34