← All posts

The Central Asia surge faded. The Iran story didn't.

Four weeks ago I published an analysis of shifting DMARC failure geography, with two main findings. Iran had gone almost completely silent, consistent with the country's prolonged internet blackout. Central Asia, mostly Kazakhstan and Uzbekistan, had erupted in the final two weeks of the dataset. I closed by noting the surge was less than two weeks old at publication and could be either a transient burst or the beginning of a sustained shift.

It was a transient burst. Here's the data.

The Central Asia surge collapsed

The week of April 6 produced 25 DMARC failures from Kazakhstan, Uzbekistan, Kyrgyzstan, and Tajikistan combined: 20% of all failures that week. In the four weeks since, those same four countries have produced exactly one failure between them, in a dataset that recorded 147 failures (yes, it's been a quiet few weeks for these domains) over the same span.

Uzbekistan was the most striking case in the original. It went from zero failures across the entire dataset to ten in a single week, almost all from a single ASN (UZTELECOM). Since April 9 it has produced none. Kazakhstan, Kyrgyzstan, and Tajikistan show the same pattern: a brief April spike, then silence. Whatever provisioned that infrastructure de-provisioned it just as quickly, or got blocked, or moved somewhere I'm not yet seeing.

This kills the "infrastructure migration" framing from the original post. A migration produces sustained activity from the new origin. What I observed was a one-week burst. That's different. Bursts are consistent with abuse-of-trial-credit on cloud VPS providers, with short-lived botnet activity that gets cleaned up by the host, or with a campaign that simply ran its course. None of those are migrations.

I'd rather say I was wrong than leave the original framing standing.

The Iran finding holds

Iran's collapse, on the other hand, is exactly as the data described it three weeks ago. The country has produced between one and four DMARC failures per week every week since early March, with no recovery and no sign of one. The eleven-week post-blackout average is 2.4 failures per week, against a pre-blackout baseline that was running closer to seven per week through 2025.

Connectivity in Iran remains at roughly 1% of pre-war levels. The DMARC data tracks that mechanically. There's no compositional shift to debate now. Iran can't send what it can't connect to, and the trickle that does get through is consistent with whatever fraction of Iranian IP space has retained outbound access via satellite, cross-border SIM, or the partial corridors that exist for state-permitted traffic.

This is a useful methodological point. The blackout amendment to the original post replaced one hypothesis (operators chose to migrate) with another (operators lost access). The new four weeks of data don't favor the migration story, since the alleged destination went silent. They are entirely consistent with the access-loss story, which doesn't require anyone to show up anywhere else.

What also fell off

The other "emerging sources" called out in the original have either flatlined or pulled back:

• Russia spiked to 10 failures in the April 6 week, then dropped to 6, 2, 3, 2 over the four weeks since. No sustained increase.
• Vietnam ran 3, 3, 0, 4, 0 across the same span. The mid-March uptick the original flagged didn't continue.
• Brazil ran 6, 4, 0, 2, 0. Same pattern.
• United States continues its long decline. Total US failures since the original: 30, against a 2025 H1 weekly average that exceeded 100.

The aggregate weekly DMARC failures since the original was published: 35, 34, 64, 14. Compared to the surge week's 125, the platform is back to a quiet baseline.

What I take from this

Two things, mostly methodological.

First, the value of the publish-and-revise model. The original post made a claim, the amendment narrowed that claim within 24 hours based on context I'd missed, and now the four-week follow-up retires part of the narrowed claim entirely. The Iran finding is more credible now, not less, because it survived a check that the Central Asia finding didn't. If I'd waited until I had a "complete" story, I'd have nothing useful to say either time.

Second, the pattern recognition limit. A two-week burst that simultaneously appears in three countries with prior-zero counts looks structural until it isn't. The statistical tests in the original were correct. The pre-April daily baseline was 0.018 failures per day; April 1–12 ran 5.33 per day; the p-value was vanishingly small. None of that was wrong. What was wrong was the inference that significance over twelve days predicted continuation. The data ran out before the story did.

I'll keep watching the Central Asian countries to see if anything resumes. If it does, that's interesting. If it doesn't, that's also interesting, just less so.

A note on what counts as a finding

Worth being precise about a distinction I glossed over the first time. A surge is an observation. A shift is a trajectory. The original used both words appropriately at the time, but they're not interchangeable, and the difference matters when the data extends.

The Iran collapse was always a shift because the mechanism, no connectivity, was structural and the data kept arriving to confirm it. The Central Asia event was a surge because the mechanism was unknown and the data stopped before it could become anything more. Going forward I'll reserve "shift" for patterns that have survived at least one full follow-up window, and use "surge," "spike," or "burst" for the rest.

© 2026 dmarcSignal and Christian Ricci, LLC. All rights reserved. · About