Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Situational Awareness: Spam Crisis and China - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Situational Awareness: Spam Crisis and China

Gary Warner, Director of Research at the UAB Computer Forensics, posted a very interesting analysis from the past 48 days concerning the amount of spam which has ties to China. 

The post is a call for increased awareness of the situation with certain registrars and hosting providers in China who have become spam havens in recent times.  It is our hope as with Gary's that by exposing the amount spam, fraudulent messages, and criminal activity occurring within a few areas of China, that those of you who have contacts in China may be able to educate our respective counterparts at ISPs, hosting providers and in law enforcement to the statistics.  With that education, we expect that the government or high level business personnel will take appropriate steps to mitigate this situation as has been done with other locations in years past.

Thanks Gary for posting this very enlightening blog located at

Scott Fendley
ISC Handler on Duty


191 Posts
ISC Handler
Jun 20th 2009
<c+p's rant i wrote on another site>

i've been saying for years that there needs to be some serious reform over at icann... so many registrars should be losing their accreditation for blindly registering fake domains.
At home I block all connections to/from China and Korea based on the netblocks published at We have no need to exchange packets with those parts of the net. Unfortunately that's not an option for many, possibly most, organizations. And since I do not run my own MX host it does nothing to block spam from those netblocks. However, I'm sure I'm not the only one to have noticed that an inordinate number of the malicious urls dissected in these diaries are located in or eventually lead to China. I rest just a little better knowing that the other members of my household are protected from that subset of attacks even before they are exposed.

One must wonder how a more general shunning of the problem areas of the net, however unlikely, might spur a much-needed cleanup. The first thought that comes to mind is "can of worms".

50 Posts
part of the problem there is also the language barrier, how do you report these infractions to the ISP's? i've tried, all i get back is a email full of characters i can't read.

on the flipside however, i sent an abuse@ email to an ISP in quebec because one of their hosts was pounding my firewall for what appears to be no reason. some port i don't even use or recognize. no response for a month. tried the "responsible person"... no response for a month. i tried a third time and all i got back was "i need the host causing the problem". what?? if they even read the email, they would see the huge log i had sent them.

intelligence barrier? maybe we should also be considering who is allowed to be an ISP.

Sign Up for Free or Log In to start participating in the conversation!