amuck-landowner

Google's New Malware Dashboard: Incero's on the Top 10

manacit

New Member
I was checking out Google's new Malware Dashboard when I found this:

incero.png


Looks like someone needs to go through and do some cleaning! 

Check the link earlier though, the malware dashboard is a pretty nice tool!
 

jarland

The ocean is digital
Looks like a lot of people have cleaning to do. I wouldn't say Incero is worth highlighting though. High on the list because it's sorted by percentage but the number of scanned sites is fairly low. Although I'm certain Gordon won't be terribly pleased by the result regardless ;)
 
Last edited by a moderator:

kaniini

Beware the bunny-rabbit!
Verified Provider
The most annoying aspect of Google's security efforts is that, at least in my experience, they don't notify the netblock operator of the compromised/attack sites, so you find out about them later.

I really wish they would do that, it doesn't seem like it would be too difficult for Google to send out a notification mail when it encounters a hacked site.
 

drmike

100% Tier-1 Gogent
Wait... wait... but...

Google says they've only scanned 7% of Incero's ASN.

Of that, 19% of the sites scanned therein contain malware --- that's 1-in-5.  Quite high. 

Not Gordo's fault, but certainly needs some top down house cleaning.

Does Google offer some more details on this --- like the specific sites, IPs, etc.?
 

drmike

100% Tier-1 Gogent
The most annoying aspect of Google's security efforts is that, at least in my experience, they don't notify the netblock operator of the compromised/attack sites, so you find out about them later.

I really wish they would do that, it doesn't seem like it would be too difficult for Google to send out a notification mail when it encounters a hacked site.
Google is like that... They love making messes, banning people, breaking things, etc.  It's all about big, fat, ugly piles of data.

Providing email notifications, well that might be deemed providing a service and people might then complain they weren't mailed in the future or more likely, that when nothing turns up on site/IP and they can't get it delisted and the auto-bots continue, no one is home for support at Google.
 

manacit

New Member
The most annoying aspect of Google's security efforts is that, at least in my experience, they don't notify the netblock operator of the compromised/attack sites, so you find out about them later.

I really wish they would do that, it doesn't seem like it would be too difficult for Google to send out a notification mail when it encounters a hacked site.
Yeah I'm surprised they don't just file a notification to admin@ or whatever the registered contact is - you'd think it would be in everyone's best interest.

Despite their entire ASN not being scanned, as of now they are one of the top malware providers (by %) in the USA, according to Google. Whether or not that's actually true, however, would require a bit more data. 
 

jarland

The ocean is digital
Yeah I'm surprised they don't just file a notification to admin@ or whatever the registered contact is - you'd think it would be in everyone's best interest.

Despite their entire ASN not being scanned, as of now they are one of the top malware providers (by %) in the USA, according to Google. Whether or not that's actually true, however, would require a bit more data. 
I mean, if I had 2 IPs and 1 had malware I'd be #1 on that list ;)

Still a lot though you're right. I wish it gave more detail.
 

drmike

100% Tier-1 Gogent
True Jarland, true.

Google shaming providers now.  Hopefully they don't go banning ASNs like they do with search engine results where malware found.  Too much power welding by the G'men.
 

maounique

Active Member
Well, we are having problems with Spamhaus.

After years of successful cooperation they deem us spam heaven and escalate every incident to block even further without even notifying.

So far /23 is blocked and next time probably the whole ASN.

Too much power to those people, nobody to actually check what their motivations are, whom they hate and why.

Prometeus spammer heaven, cool, last time I checked at reputable lists we didnt have more than a handful of IPs and we eliminated them all the time.

Did Spamhaus stop spam ? No, this is like the war on islam or drugs, it will never be won, just some guys will make some cool dough because of it.

At least something good is coming out of this, we no longer have spammers signing up already :p

Hosting emailers is a bad business, even legit ones, most ppl "mark as spam" instead of unsubscribing what they subscribed, is faster that way and then this never stopped real spammers.

When the war on something makes more colateral damage than the actual good and helps some ppl get a lot of power instead, then it is just another kind of a religious/ideological war. Good for the government, bad for the people.
 
Last edited by a moderator:

jarland

The ocean is digital
Well, we are having problems with Spamhaus.

After years of successful cooperation they deem us spam heaven and escalate every incident to block even further without even notifying.

So far /23 is blocked and next time probably the whole ASN.

Too much power to those people, nobody to actually check what their motivations are, whom they hate and why.

Prometeus spammer heaven, cool, last time I checked at reputable lists we didnt have more than a handful of IPs and we eliminated them all the time.

Did Spamhaus stop spam ? No, this is like the war on islam or drugs, it will never be won, just some guys will make some cool dough because of it.

At least something good is coming out of this, we no longer have spammers signing up already :p

Hosting emailers is a bad business, even legit ones, most ppl "mark as spam" instead of unsubscribing what they subscribed, is faster that way and then this never stopped real spammers.

When the war on something makes more colateral damage than the actual good and helps some ppl get a lot of power instead, then it is just another kind of a religious/ideological war. Good for the government, bad for the people.
That's terrible. I second that these organizations need to be given less power or they need to be more transparent in providing details for their actions. It's them who decided this was the service they want to provide, and it's the ISPs who decide if they're worth giving power to. Perhaps it's time for people to start massively lobbying the ISPs to demand a change.
 

drmike

100% Tier-1 Gogent
That's terrible. I second that these organizations need to be given less power or they need to be more transparent in providing details for their actions.
 

+1 for transparent... and...

They need to staff humans for support to deal with problems and get quick resolution/steps to resolve matters when needed.
 

Aldryic C'boas

The Pony
Seems to be hit and miss, I suppose. Several of the Spamhaus techs know me on a first name basis, and I've never had any issues getting listings dealt with *shrug*
 

maounique

Active Member
 I second that these organizations need to be given less power or they need to be more transparent in providing details for their actions.
The detail they gave was that their "customers" are annoyed by what comes from our customers (which is what, both incidents were from spamvertized sites, not actual spam, we catch port 25 junk pretty quick) and we need to work much harder, probably a canned reply. I doubt anyone actually checks there and they have autoresponders lately.

For 5 k IPs with 5 at most IPs listed in various lists that expire them after 1 week, which actually means some 5 a week is a very good result if you ask me.

We wont pay them anything (nor did they ask, to be honest, unlike other lists that have "delisting" prices), it is actually better to be blacklisted, as I said, hosting emailers is bad business and I will write a tutorial on how to use the free mandrill to send a few mails that forums and similar software need as well as monitoring tools. Customers know (and if they dont, we can prove it all the time with reputable lists) that we are not hosting spammers. We even delete DNS of those when we get notified.
 

H4G

New Member
Verified Provider
I asked Gordon about it, he says:

Thanks, we actually follow that religiously as well as "clean mx", both pipe into our abuse system automatically. If you look at historical data you will see the spike lines up with the wordpress exploit that happened recently. Our abuse system automatically notified affected clients, and the "malware rate" is now below 2%, one of the lowest in the industry. Feel free to check the current stats for yourself, and feel free to post my reply on that forum also. Cheers.
 

Steven F

New Member
Verified Provider
We don't know what Google's methods are. They may specifically only target sites that they believe are malware, meaning that 30% of the domains they scanned may have malware, but that's 19% of sites they suspected which is 2% of Incero's overall network. That would mean it's closer to .5% of Incero's servers are malware, which may seem a bit high, but it's not so crazy. Think hundreds of servers, possibly thousands of VMs.

Just a thought.
 

maounique

Active Member
It seems you can sing up with google to receive alerts about malware hosted inside your AS - http://www.google.com/safebrowsing/alerts/

edit: i signed up, let's see if they actually send anything.
Cool, signed up too.

This is a plague, even our forum has been targetted by malware, somehow the attacker managed to load a script instead of a picture as avatar taking advantage of improper sanitization. As such any folders where user content can be uploaded have been made readonly :p

However, wordpress is a disaster, probably bigger than kloxo or zpanel in terms of exploits.
 
Top
amuck-landowner