This graph shows how spam volumes dropped 80 percent after McColo was shut down and are crawling back up two weeks later.
(Credit: MessageLabs)Spammers knocked offline two weeks ago when their hosting company, McColo Corp., are finally coming back online, security researchers said on Wednesday.
San Jose, Calif.-based McColo was believed to be responsible for up to 75 percent of all spam, according to Brian Krebs of The Washington Post, who broke the initial story.
Spam volumes, which dropped about 80 percent when McColo was shut down on November 11, remained relatively flat since then until a few days ago when they started climbing up, said Matt Sergeant, senior antispam technologist at MessageLabs, now owned by Symantec.
Since Sunday, the spam volume has risen to about 37 percent of what they were before McColo was unplugged, MessageLabs said.
McColo was hosting command and control servers that were being used to send instructions--like send spam or Trojans--to bot software that has been planted on PCs, mostly in the U.S., according to Sergeant. "With no work orders to process, the machines simply stopped spamming," he said.
Some of the botnets, with names like "Srizbi," "Asprox," "Rustock," and "Mega-D," are back up after connecting to different domains, Sergeant said. Some are connecting to ISPs outside the U.S., which will make it very difficult to shut them down again, he said.
"The problem now is that it was a lot easier to get a U.S.-based ISP shut down than it will be to get, for example, this Estonian ISP shut down," Sergeant said.
"We've stunted the spammers for a couple of weeks, which is a good thing for the Internet," he said. "We've increased their costs and, hopefully, that might put some spammers out of business."
Researchers are collaborating on the matter and providing information to U.S. law enforcement agencies, said Paul Ferguson, an advanced threat researcher at Trend Micro.
Some of the bots are programmed to connect to a new domain after a certain amount of time of inactivity, he said.
Researchers have been able to get some registrars to suspend some domains being used and have filed abuse complaints with some ISPs that appear to be unwitting hosts, Ferguson added.
MessageLabs documented a drop in spam eight times less than normal in the 12 hours immediately following the takedown.
(Credit: MessageLabs)Internet hosting site McColo disappeared on Tuesday. Along with it went thousands of pieces of spam, thanks, in part, to investigative work by Washington Post reporter Brian Krebs.
For about four months, security experts have been collecting data about McColo Corp., a San Jose, Calif.-based Web hosting service that may have been used by by the cyber underground, according to the The Washington Post. Krebs said that the McColo hosting company had been responsible for up to 75 percent of all spam spent.
Security vendor MXLogic said it was seeing about a 50 percent decline in spam volume as a result on Wednesday.
Jose Nazario of Arbor Networks, a company that monitors botnet activity, speculated that McColo vanished at around 9 a.m. Eastern time on November 10. Botnets are frequently used to relay spam, and McColo may have hosted some of the command and control servers necessary to coordinate spam campaigns.
Adam O'Donnell, writing on theZDNet Zero Day blog, speculates that the spammers might regroup in Eastern Europe.
The Post credits Benny Ng, director of marketing for Hurricane Electric, an upstream provider for McColo, for pulling the plug on the company. Another provider, Global Crossing, declined to comment, telling Krebs the company "communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity."
Something similar happened in September when another hosting site, Intercage/Ativo, was shut down by its upstream providers.
- prev
- 1
- next
