Custom Search

Wednesday, October 31, 2018

Botnet Statistics [2018-10-30]

detection period: 2018-10-30 00:00-23:59 UTC
total number of suspected botnet IPs: 1733
number of botnet IPs notified to network operators: 1553
number of spam blocked: 5044
recipient count of spam blocked: 151175

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1DIGITALOCEAN-850
2CHINANET-JS30
3WHG-NETWORKS28
4LogicWeb-Inc27
5VNPT-VNNIC-VN26
6UNKNOWN25
7HINET-NET25
8CMNET25
9TencentCloud23
10002.558.157/0001-6220

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China360
2United States225
3Russian Federation129
4Brazil78
5India72
6Viet Nam67
7United Kingdom59
8France52
9Indonesia48
10Taiwan38

Suspected Bot List [2018-10-30]

detection period: 2018-10-30 00:00-23:59 UTC
number of suspected bots' IPs listed here: 180

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Tuesday, October 30, 2018

Botnet Statistics [2018-10-29]

detection period: 2018-10-29 00:00-23:59 UTC
total number of suspected botnet IPs: 1382
number of botnet IPs notified to network operators: 1260
number of spam blocked: 5375
recipient count of spam blocked: 161237

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1DIGITALOCEAN-840
2VNPT-VNNIC-VN33
3CHINANET-JS26
4CHINANET-GD22
5HINET-NET19
6CMNET18
7WHG-NETWORKS17
8TencentCloud17
9PANHOST14
10UNICOM-SD13

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China287
2United States202
3Russian Federation94
4Viet Nam73
5Brazil55
6India52
7France45
8United Kingdom37
9Indonesia33
10Taiwan30

Suspected Bot List [2018-10-29]

detection period: 2018-10-29 00:00-23:59 UTC
number of suspected bots' IPs listed here: 122

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Monday, October 29, 2018

Botnet Statistics [2018-10-28]

detection period: 2018-10-28 00:00-23:59 UTC
total number of suspected botnet IPs: 1287
number of botnet IPs notified to network operators: 1164
number of spam blocked: 3940
recipient count of spam blocked: 118200

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1DIGITALOCEAN-837
2CHINANET-GD26
3CHINANET-JS24
4VNPT-VNNIC-VN21
5HINET-NET18
6LogicWeb-Inc16
7CMNET15
8WHG-NETWORKS14
9NETVIGATOR14
10KORNET-KR12

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China251
2United States219
3Russian Federation115
4Brazil44
5Viet Nam38
6India34
7Hong Kong32
8Italy31
9France31
10Netherlands29

Suspected Bot List [2018-10-28]

detection period: 2018-10-28 00:00-23:59 UTC
number of suspected bots' IPs listed here: 123

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Sunday, October 28, 2018

Botnet Statistics [2018-10-27]

detection period: 2018-10-27 00:00-23:59 UTC
total number of suspected botnet IPs: 1461
number of botnet IPs notified to network operators: 1344
number of spam blocked: 5276
recipient count of spam blocked: 157095

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1DIGITALOCEAN-837
2HINET-NET30
3CHINANET-JS30
4CHINANET-GD30
5TencentCloud24
6VNPT-VNNIC-VN20
7002.558.157/0001-6220
8KORNET-KR18
9VE-CSVE-LACNIC17
10CMNET17

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China313
2United States229
3Russian Federation90
4Viet Nam64
5Brazil64
6Taiwan47
7India42
8Indonesia37
9South Korea34
10Hong Kong34

Suspected Bot List [2018-10-27]

detection period: 2018-10-27 00:00-23:59 UTC
number of suspected bots' IPs listed here: 117

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Saturday, October 27, 2018

Botnet Statistics [2018-10-26]

detection period: 2018-10-26 00:00-23:59 UTC
total number of suspected botnet IPs: 1645
number of botnet IPs notified to network operators: 1508
number of spam blocked: 3429
recipient count of spam blocked: 102870

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1VNPT-VNNIC-VN37
2CHINANET-GD35
3HINET-NET27
4KORNET-KR25
5TencentCloud24
6UNKNOWN23
7CHINANET-JS21
8CMNET20
9NETVIGATOR17
10CHINANET-SC17

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China344
2United States234
3Russian Federation114
4Viet Nam70
5Brazil60
6India57
7France53
8Hong Kong50
9South Korea46
10Indonesia44

Suspected Bot List [2018-10-26]

detection period: 2018-10-26 00:00-23:59 UTC
number of suspected bots' IPs listed here: 137

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Friday, October 26, 2018

Botnet Statistics [2018-10-25]

detection period: 2018-10-25 00:00-23:59 UTC
total number of suspected botnet IPs: 1679
number of botnet IPs notified to network operators: 1536
number of spam blocked: 5870
recipient count of spam blocked: 176100

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1VNPT-VNNIC-VN38
2HINET-NET32
3TencentCloud30
4KORNET-KR30
5CMNET23
6UNKNOWN22
7CHINANET-GD22
8CHINANET-JS20
9TELKOMNET19
10NETVIGATOR17

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China348
2United States216
3Russian Federation119
4Viet Nam75
5Brazil63
6India62
7South Korea56
8Taiwan54
9Indonesia43
10France42

Suspected Bot List [2018-10-25]

detection period: 2018-10-25 00:00-23:59 UTC
number of suspected bots' IPs listed here: 143

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Thursday, October 25, 2018

Botnet Statistics [2018-10-24]

detection period: 2018-10-24 00:00-23:59 UTC
total number of suspected botnet IPs: 1865
number of botnet IPs notified to network operators: 1717
number of spam blocked: 5226
recipient count of spam blocked: 156780

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1VNPT-VNNIC-VN40
2ALISOFT40
3TencentCloud36
4KORNET-KR35
5CHINANET-JS31
6CHINANET-GD30
7TELKOMNET24
8HINET-NET24
9UNKNOWN23
10CMNET22

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China435
2United States251
3Russian Federation110
4Viet Nam89
5Indonesia58
6South Korea57
7India54
8Brazil54
9Hong Kong49
10France44

Suspected Bot List [2018-10-24]

detection period: 2018-10-24 00:00-23:59 UTC
number of suspected bots' IPs listed here: 149

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Wednesday, October 24, 2018

Botnet Statistics [2018-10-23]

detection period: 2018-10-23 00:00-23:59 UTC
total number of suspected botnet IPs: 2015
number of botnet IPs notified to network operators: 1867
number of spam blocked: 6244
recipient count of spam blocked: 187237

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT154
2TencentCloud37
3CHINANET-JS33
4VNPT-VNNIC-VN32
5CHINANET-GD30
6CMNET29
7HINET-NET25
8TELKOMNET22
9UNKNOWN21
10NETVIGATOR20

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China610
2United States272
3Russian Federation121
4Indonesia66
5Viet Nam65
6Brazil60
7Hong Kong56
8France51
9South Korea41
10India40

Suspected Bot List [2018-10-23]

detection period: 2018-10-23 00:00-23:59 UTC
number of suspected bots' IPs listed here: 148

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Tuesday, October 23, 2018

Botnet Statistics [2018-10-22]

detection period: 2018-10-22 00:00-23:59 UTC
total number of suspected botnet IPs: 2212
number of botnet IPs notified to network operators: 2055
number of spam blocked: 5159
recipient count of spam blocked: 154770

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT177
2TencentCloud47
3KORNET-KR32
4CMNET32
5CHINANET-GD32
6CHINANET-JS30
7VNPT-VNNIC-VN27
8HINET-NET26
9Baidu24
10CABLE-119

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China702
2United States331
3Russian Federation107
4Brazil68
5India67
6South Korea58
7Viet Nam56
8Hong Kong53
9France50
10Taiwan44

Suspected Bot List [2018-10-22]

detection period: 2018-10-22 00:00-23:59 UTC
number of suspected bots' IPs listed here: 157

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Monday, October 22, 2018

Botnet Statistics [2018-10-21]

detection period: 2018-10-21 00:00-23:59 UTC
total number of suspected botnet IPs: 1870
number of botnet IPs notified to network operators: 1744
number of spam blocked: 5029
recipient count of spam blocked: 150870

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT98
2TencentCloud42
3CMNET39
4CHINANET-JS34
5CHINANET-GD32
6HINET-NET25
7KORNET-KR23
8Baidu22
9CHINANET-FJ19
10VNPT-VNNIC-VN18

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China593
2United States203
3Russian Federation88
4Brazil77
5France57
6Netherlands46
7Indonesia46
8South Korea45
9India40
10Taiwan38

Suspected Bot List [2018-10-21]

detection period: 2018-10-21 00:00-23:59 UTC
number of suspected bots' IPs listed here: 130

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Sunday, October 21, 2018

Botnet Statistics [2018-10-20]

detection period: 2018-10-20 00:00-23:59 UTC
total number of suspected botnet IPs: 2091
number of botnet IPs notified to network operators: 1928
number of spam blocked: 4211
recipient count of spam blocked: 126330

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT164
2TencentCloud49
3CHINANET-GD43
4CMNET40
5CHINANET-JS39
6HINET-NET36
7TELKOMNET22
8Baidu20
9WHG-NETWORKS19
10UNKNOWN19

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China689
2United States229
3Russian Federation97
4Brazil65
5Indonesia63
6France63
7India53
8Taiwan52
9Viet Nam48
10South Korea47

Suspected Bot List [2018-10-20]

detection period: 2018-10-20 00:00-23:59 UTC
number of suspected bots' IPs listed here: 164

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry
CA184.71.255.134Canada

List from greylisting:

Saturday, October 20, 2018

Botnet Statistics [2018-10-19]

detection period: 2018-10-19 00:00-23:59 UTC
total number of suspected botnet IPs: 2260
number of botnet IPs notified to network operators: 2071
number of spam blocked: 4635
recipient count of spam blocked: 138963

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT177
2CMNET48
3TencentCloud47
4AT-88-Z36
5VNPT-VNNIC-VN34
6CHINANET-JS34
7CHINANET-GD34
8AMAZON-2011L32
9HINET-NET30
10Baidu30

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China749
2United States266
3Russian Federation117
4Brazil83
5Indonesia72
6Viet Nam71
7France67
8India66
9South Korea54
10Taiwan43

Suspected Bot List [2018-10-19]

detection period: 2018-10-19 00:00-23:59 UTC
number of suspected bots' IPs listed here: 192

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry
CA184.71.255.134Canada

List from greylisting:

Friday, October 19, 2018

Botnet Statistics [2018-10-18]

detection period: 2018-10-18 00:00-23:59 UTC
total number of suspected botnet IPs: 1959
number of botnet IPs notified to network operators: 1827
number of spam blocked: 5285
recipient count of spam blocked: 158492

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT142
2TencentCloud45
3CMNET40
4HINET-NET38
5CHINANET-JS37
6CHINANET-GD34
7VNPT-VNNIC-VN27
8AT-88-Z24
9AMAZON-2011L20
10TELKOMNET18

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China648
2United States227
3Russian Federation119
4Indonesia75
5Brazil69
6Viet Nam68
7France55
8Taiwan53
9India53
10United Kingdom41

Suspected Bot List [2018-10-18]

detection period: 2018-10-18 00:00-23:59 UTC
number of suspected bots' IPs listed here: 136

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry
CA184.71.255.134Canada

List from greylisting:

Thursday, October 18, 2018

Botnet Statistics [2018-10-17]

detection period: 2018-10-17 00:00-23:59 UTC
total number of suspected botnet IPs: 2211
number of botnet IPs notified to network operators: 2030
number of spam blocked: 4814
recipient count of spam blocked: 140882

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT193
2TencentCloud47
3CMNET44
4CHINANET-JS38
5Baidu35
6HINET-NET34
7CHINANET-GD30
8VNPT-VNNIC-VN25
9002.558.157/0001-6224
10TELKOMNET21

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China743
2United States234
3Russian Federation101
4Indonesia82
5Brazil78
6India62
7Viet Nam61
8France54
9Taiwan50
10United Kingdom50

Suspected Bot List [2018-10-17]

detection period: 2018-10-17 00:00-23:59 UTC
number of suspected bots' IPs listed here: 186

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Wednesday, October 17, 2018

Botnet Statistics [2018-10-16]

detection period: 2018-10-16 00:00-23:59 UTC
total number of suspected botnet IPs: 2430
number of botnet IPs notified to network operators: 2115
number of spam blocked: 5897
recipient count of spam blocked: 176881

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT199
2UNKNOWN124
3TencentCloud45
4CHINANET-GD44
5VNPT-VNNIC-VN39
6CHINANET-JS37
7CMNET35
8KORNET-KR31
9HINET-NET30
10Baidu30

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China780
2United States238
3Russian Federation116
4Brazil99
5Indonesia93
6Viet Nam75
7France65
8South Korea63
9India58
10United Kingdom55

Suspected Bot List [2018-10-16]

detection period: 2018-10-16 00:00-23:59 UTC
number of suspected bots' IPs listed here: 317

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Tuesday, October 16, 2018

Botnet Statistics [2018-10-15]

detection period: 2018-10-15 00:00-23:59 UTC
total number of suspected botnet IPs: 1660
number of botnet IPs notified to network operators: 1508
number of spam blocked: 11957
recipient count of spam blocked: 358710

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1CHINANET-GD42
2UNKNOWN37
3CHINANET-JS31
4TencentCloud29
5HINET-NET27
6VNPT-VNNIC-VN26
7002.558.157/0001-6226
8TELKOMNET25
9WHG-NETWORKS22
10KORNET-KR21

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China411
2United States186
3Russian Federation97
4Brazil80
5Indonesia79
6Viet Nam67
7India52
8United Kingdom43
9France42
10Taiwan41

Suspected Bot List [2018-10-15]

detection period: 2018-10-15 00:00-23:59 UTC
number of suspected bots' IPs listed here: 152

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Monday, October 15, 2018

Botnet Statistics [2018-10-14]

detection period: 2018-10-14 00:00-23:59 UTC
total number of suspected botnet IPs: 1508
number of botnet IPs notified to network operators: 1365
number of spam blocked: 11957
recipient count of spam blocked: 358710

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1TencentCloud38
2UNKNOWN27
3CHINANET-JS27
4CHINANET-GD25
5HINET-NET24
6INTERNUX-NET19
7VNPT-VNNIC-VN18
8DIGITALOCEAN-818
9ALISOFT18
10WHG-NETWORKS16

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China366
2United States171
3Russian Federation88
4Brazil65
5Indonesia63
6Viet Nam47
7India46
8France40
9United Kingdom38
10Taiwan35

Suspected Bot List [2018-10-14]

detection period: 2018-10-14 00:00-23:59 UTC
number of suspected bots' IPs listed here: 143

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Sunday, October 14, 2018

Botnet Statistics [2018-10-13]

detection period: 2018-10-13 00:00-23:59 UTC
total number of suspected botnet IPs: 1615
number of botnet IPs notified to network operators: 1463
number of spam blocked: 10955
recipient count of spam blocked: 328650

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT45
2UNKNOWN43
3TencentCloud31
4WHG-NETWORKS28
5HINET-NET28
6CHINANET-JS28
7INTERNUX-NET22
8CMNET22
9Baidu21
10TELKOMNET19

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China413
2United States172
3Russian Federation98
4Indonesia67
5Brazil64
6Viet Nam57
7India54
8United Kingdom50
9France45
10Taiwan36

Suspected Bot List [2018-10-13]

detection period: 2018-10-13 00:00-23:59 UTC
number of suspected bots' IPs listed here: 152

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Saturday, October 13, 2018

Botnet Statistics [2018-10-12]

detection period: 2018-10-12 00:00-23:59 UTC
total number of suspected botnet IPs: 1905
number of botnet IPs notified to network operators: 1744
number of spam blocked: 5443
recipient count of spam blocked: 163290

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT69
2TencentCloud41
3DIGITALOCEAN-836
4HINET-NET34
5CHINANET-GD34
6UNKNOWN33
7CHINANET-JS33
8VNPT-VNNIC-VN30
9CMNET29
10Amsterdam_Residential_Television_and_Internet_Network27

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China501
2United States232
3Russian Federation103
4Brazil82
5Viet Nam75
6Indonesia75
7India58
8France50
9Netherlands47
10Taiwan45

Suspected Bot List [2018-10-12]

detection period: 2018-10-12 00:00-23:59 UTC
number of suspected bots' IPs listed here: 162

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Friday, October 12, 2018

Botnet Statistics [2018-10-11]

detection period: 2018-10-11 00:00-23:59 UTC
total number of suspected botnet IPs: 2255
number of botnet IPs notified to network operators: 2072
number of spam blocked: 10460
recipient count of spam blocked: 172399

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT70
2CHINANET-GD49
3TencentCloud44
4CMNET39
5VNPT-VNNIC-VN37
6UNKNOWN35
7CHINANET-JS34
8DIGITALOCEAN-828
9Baidu27
10WHG-NETWORKS24

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China669
2United States258
3Russian Federation116
4Brazil109
5Viet Nam87
6Indonesia67
7France59
8India51
9United Kingdom51
10Taiwan48

Suspected Bot List [2018-10-11]

detection period: 2018-10-11 00:00-23:59 UTC
number of suspected bots' IPs listed here: 188

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Thursday, October 11, 2018

Botnet Statistics [2018-10-10]

detection period: 2018-10-10 00:00-23:59 UTC
total number of suspected botnet IPs: 2330
number of botnet IPs notified to network operators: 2163
number of spam blocked: 5125
recipient count of spam blocked: 153750

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1ALISOFT81
2TencentCloud52
3CHINANET-GD45
4CMNET42
5DIGITALOCEAN-839
6Baidu35
7VNPT-VNNIC-VN32
8CHINANET-JS31
9HINET-NET29
10002.558.157/0001-6224

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China681
2United States289
3Russian Federation109
4Brazil104
5Indonesia76
6Viet Nam68
7South Korea61
8India61
9France59
10Taiwan51

Suspected Bot List [2018-10-10]

detection period: 2018-10-10 00:00-23:59 UTC
number of suspected bots' IPs listed here: 176

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Wednesday, October 10, 2018

Botnet Statistics [2018-10-09]

detection period: 2018-10-09 00:00-23:59 UTC
total number of suspected botnet IPs: 2016
number of botnet IPs notified to network operators: 1870
number of spam blocked: 5145
recipient count of spam blocked: 154350

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1TencentCloud39
2CHINANET-JS36
3DIGITALOCEAN-833
4VNPT-VNNIC-VN31
5CHINANET-GD29
6ALISOFT29
7TELKOMNET27
8HINET-NET27
9CMNET27
10WHG-NETWORKS21

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China559
2United States232
3Russian Federation120
4Brazil94
5Viet Nam73
6Indonesia73
7India63
8United Kingdom55
9France48
10South Korea44

Suspected Bot List [2018-10-09]

detection period: 2018-10-09 00:00-23:59 UTC
number of suspected bots' IPs listed here: 148

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Tuesday, October 9, 2018

Botnet Statistics [2018-10-08]

detection period: 2018-10-08 00:00-23:59 UTC
total number of suspected botnet IPs: 1876
number of botnet IPs notified to network operators: 1746
number of spam blocked: 5294
recipient count of spam blocked: 158820

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1TencentCloud32
2HINET-NET31
3CHINANET-JS30
4CHINANET-GD30
5DIGITALOCEAN-828
6MK-TOR-EXIT24
7002.558.157/0001-6224
8VNPT-VNNIC-VN23
9Baidu21
10WHG-NETWORKS16

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China380
2United States280
3Russian Federation111
4Brazil97
5France87
6Viet Nam64
7Germany63
8Netherlands59
9Indonesia54
10United Kingdom51

Suspected Bot List [2018-10-08]

detection period: 2018-10-08 00:00-23:59 UTC
number of suspected bots' IPs listed here: 130

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Monday, October 8, 2018

Botnet Statistics [2018-10-07]

detection period: 2018-10-07 00:00-23:59 UTC
total number of suspected botnet IPs: 1497
number of botnet IPs notified to network operators: 1385
number of spam blocked: 2104
recipient count of spam blocked: 63120

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1DIGITALOCEAN-844
2TencentCloud40
3CHINANET-GD28
4HINET-NET25
5002.558.157/0001-6223
6VNPT-VNNIC-VN22
7WHG-NETWORKS21
8UNICOM-BJ18
9TELKOMNET17
10CHINANET-JS17

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China314
2United States214
3Russian Federation114
4Brazil76
5Viet Nam45
6Taiwan45
7Netherlands43
8France42
9Indonesia41
10India39

Suspected Bot List [2018-10-07]

detection period: 2018-10-07 00:00-23:59 UTC
number of suspected bots' IPs listed here: 112

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Sunday, October 7, 2018

TCP port scan detection with HAProxy

I'm doing this on Debian Linux, but you should be able to do the same on any of HAProxy's supported platforms, like FreeBSD or other Linux distributions.

HAProxy was never intended to be used as a port scan detector. This TCP port scan detection is really a deliberate misuse of the "bind" keyword for HAProxy. HAProxy's "bind" accepts a dash-delimited ports range, and you can make HAProxy listen on about 40,000 TCP ports without any problem.

You have to skip ports for your real TCP services. I will skip SMTP (TCP port 25) and HTTP (TCP port 80) in the following example.

Install HAProxy first.
apt-get install haproxy
Append the following lines to HAProxy's configuration at /etc/haproxy/haproxy.cfg.
frontend fr_tcp
    log /dev/log local2
    mode tcp
    bind <IP address of your HAProxy server>:1-24
    bind <IP address of your HAProxy server>:26-79
    bind <IP address of your HAProxy server>:81-40000
    log-format %ci:%cp\ =>\ %[dst]:%[dst_port]\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
    default_backend bk_tcp

backend bk_tcp
    mode tcp
    server www-2 127.0.0.1:1028
In the frontend section, HAProxy is configured to accept connections on TCP ports 1 to 40,000 minus 25 and 80. A custom log format is used to record IP addresses and port numbers of source and destination nodes, which are separated by a "=>" character string.

The backend section specifies a backend server at 127.0.0.1:1028. You can change the IP address and/or port number. It doesn't matter whether you have a TCP service there, and I don't have one. This is just to get a working configuration.

You have to stop and start HAProxy again to make the new configuration come into effect. I don't just restart or reload HAProxy because sometimes it seemed to run out of file descriptors and I have to reboot my Debian Linux.
service haproxy stop
service haproxy start
Give it some time, I guess at most half an hour, and you should see some logged actions in /var/log/messages or /var/log/syslog, like the following:

2018-09-29T03:21:53.912375+00:00 h4fvps1 haproxy[6415]: 45.XXX.49.XXX:64768 => 1YY.Y40.YY.1Y8:445 [29/Sep/2018:03:21:50.908] fr_tcp bk_tcp/www-2 1/-1/3003 0 SC 0/0/0/0/3 0/0

The line above shows that a host at IP 45.XXX.49.XXX tried to connect to TCP port 445 of my server at IP 1YY.Y40.YY.1Y8.

I prefer to keep HAProxy's log in its own file, so I changed the content of the file /etc/rsyslod.d/49-haproxy.conf to the following (only uncommented lines are shown):
$AddUnixListenSocket /var/lib/haproxy/dev/log
local2.* /var/log/haproxy.log
That's it.

Before this "misuse" of HAProxy, I had tried my hands on scanlogd and PSAD, two security tools capable of detecting port scans. But none of them really accept TCP connections, which makes me doubt the validity of source IP addresses they logged. HAProxy does not have this problem because it really listens on all the TCP ports you specified in haproxy.cfg. You can verify it yourself by issuing the following command:
netstat -an | grep LISTEN | wc
The number printed should be larger than the number of ports specified in your haproxy.cfg.

Botnet Statistics [2018-10-06]

detection period: 2018-10-06 00:00-23:59 UTC
total number of suspected botnet IPs: 1529
number of botnet IPs notified to network operators: 1410
number of spam blocked: 0
recipient count of spam blocked: 0

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1TencentCloud37
2HINET-NET34
3DIGITALOCEAN-827
4Baidu27
5VNPT-VNNIC-VN26
6WHG-NETWORKS25
7CHINANET-JS21
8INTERNUX-NET20
9Amsterdam_Residential_Television_and_Internet_Network19
10TELKOMNET17

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China304
2United States185
3Russian Federation115
4Indonesia63
5Viet Nam59
6Brazil54
7Netherlands52
8India50
9Taiwan49
10France43

Suspected Bot List [2018-10-06]

detection period: 2018-10-06 00:00-23:59 UTC
number of suspected bots' IPs listed here: 119

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Saturday, October 6, 2018

Botnet Statistics [2018-10-05]

detection period: 2018-10-05 00:00-23:59 UTC
total number of suspected botnet IPs: 1686
number of botnet IPs notified to network operators: 1528
number of spam blocked: 2912
recipient count of spam blocked: 87360

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1DIGITALOCEAN-840
2VNPT-VNNIC-VN36
3TencentCloud36
4HINET-NET30
5AMAZON-2011L30
6CHINANET-GD29
7LogicWeb-Inc27
8CMNET27
9Amsterdam_Residential_Television_and_Internet_Network25
10TELKOMNET24

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China350
2United States248
3Russian Federation128
4Indonesia67
5Netherlands66
6Brazil66
7Viet Nam65
8France63
9India44
10Taiwan43

Suspected Bot List [2018-10-05]

detection period: 2018-10-05 00:00-23:59 UTC
number of suspected bots' IPs listed here: 162

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Friday, October 5, 2018

Botnet Statistics [2018-10-04]

detection period: 2018-10-04 00:00-23:59 UTC
total number of suspected botnet IPs: 1509
number of botnet IPs notified to network operators: 1379
number of spam blocked: 6022
recipient count of spam blocked: 180458

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1TencentCloud40
2VNPT-VNNIC-VN31
3HINET-NET27
4CHINANET-GD25
5LogicWeb-Inc23
6AT-88-Z23
7AMAZON-2011L22
8CHINANET-JS20
9Baidu20
10WHG-NETWORKS19

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China320
2United States209
3Russian Federation117
4Brazil74
5Viet Nam65
6Indonesia62
7Taiwan42
8France42
9India41
10Netherlands31

Suspected Bot List [2018-10-04]

detection period: 2018-10-04 00:00-23:59 UTC
number of suspected bots' IPs listed here: 130

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Thursday, October 4, 2018

Botnet Statistics [2018-10-03]

detection period: 2018-10-03 00:00-23:59 UTC
total number of suspected botnet IPs: 1633
number of botnet IPs notified to network operators: 1485
number of spam blocked: 7169
recipient count of spam blocked: 239266

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1DIGITALOCEAN-852
2TencentCloud45
3VNPT-VNNIC-VN36
4HINET-NET32
5LogicWeb-Inc28
6CHINANET-JS26
7WHG-NETWORKS22
8AT-88-Z21
9AMAZON-2011L21
10Baidu19

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China342
2United States249
3Russian Federation137
4Viet Nam78
5Brazil70
6Indonesia55
7Taiwan49
8India45
9South Africa31
10Netherlands29

Suspected Bot List [2018-10-03]

detection period: 2018-10-03 00:00-23:59 UTC
number of suspected bots' IPs listed here: 149

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Wednesday, October 3, 2018

Botnet Statistics [2018-10-02]

detection period: 2018-10-02 00:00-23:59 UTC
total number of suspected botnet IPs: 1578
number of botnet IPs notified to network operators: 1427
number of spam blocked: 5097
recipient count of spam blocked: 152910

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1LogicWeb-Inc42
2CMNET33
3TencentCloud32
4VNPT-VNNIC-VN29
5HINET-NET23
6CHINANET-GD23
7002.558.157/0001-6223
8CHINANET-JS21
9WHG-NETWORKS18
10TELKOMNET17

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China323
2United States173
3Russian Federation152
4Brazil78
5Viet Nam71
6South Africa49
7Indonesia49
8Taiwan43
9Netherlands42
10India40

Suspected Bot List [2018-10-02]

detection period: 2018-10-02 00:00-23:59 UTC
number of suspected bots' IPs listed here: 152

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Tuesday, October 2, 2018

Botnet Statistics [2018-10-01]

detection period: 2018-10-01 00:00-23:59 UTC
total number of suspected botnet IPs: 1674
number of botnet IPs notified to network operators: 1545
number of spam blocked: 23408
recipient count of spam blocked: 398190

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1TencentCloud55
2HINET-NET33
3VNPT-VNNIC-VN32
4CMNET26
5CHINANET-GD25
6Baidu25
7CHINANET-JS23
8002.558.157/0001-6223
9TELKOMNET22
10AT-88-Z20

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China398
2United States203
3Russian Federation137
4Brazil91
5Viet Nam71
6Indonesia55
7Taiwan49
8India46
9France41
10South Korea34

Suspected Bot List [2018-10-01]

detection period: 2018-10-01 00:00-23:59 UTC
number of suspected bots' IPs listed here: 130

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting:

Monday, October 1, 2018

Botnet Statistics [2018-09-30]

detection period: 2018-09-30 00:00-23:59 UTC
total number of suspected botnet IPs: 2064
number of botnet IPs notified to network operators: 1901
number of spam blocked: 16692
recipient count of spam blocked: 331941

The top 10 networks (as found in WHOIS), ordered by number of suspected botnet IPs are:

RankNetwork# of suspected botnet IPs
1TencentCloud62
2CMNET39
3CHINANET-JS36
4KORNET-KR32
5CHINANET-GD31
6HINET-NET30
7LogicWeb-Inc28
8002.558.157/0001-6228
9TENCENT-CN26
10VNPT-VNNIC-VN25

The top 10 countries (as defined by the 2-character country code), ordered by number of suspected botnet IPs are:

1China590
2United States234
3Russian Federation134
4Brazil91
5South Korea76
6Viet Nam57
7France57
8Indonesia51
9Taiwan50
10Netherlands40

Suspected Bot List [2018-09-30]

detection period: 2018-09-30 00:00-23:59 UTC
number of suspected bots' IPs listed here: 167

IP addresses listed here all exhibit strange network behavior. As I could not notify the victims for various reasons (no working abuse contact, mailbox over quota, etc.), I list them here instead. I have to emphasize that those are just *suspected* to be malware-infected computers.

List from fake open relays:

country codeIP addressCountry

List from greylisting: