• On MovieTome: New TERMINATOR 4 images are online!
November 26, 2008 2:13 PM PST

Spam increasing again after shutdown of hosting company

Posted by Elinor Mills
  • Font size
  • Print

This graph shows how spam volumes dropped 80 percent after McColo was shut down and are crawling back up two weeks later.

(Credit: MessageLabs)

Spammers knocked offline two weeks ago when their hosting company, McColo Corp., was shut down are finally coming back online, security researchers said on Wednesday.

San Jose, Calif.-based McColo was believed to be responsible for up to 75 percent of all spam, according to Brian Krebs of The Washington Post, who broke the initial story.

Spam volumes, which dropped about 80 percent when McColo was shut down on November 11, remained relatively flat since then until a few days ago when they started climbing up, said Matt Sergeant, senior antispam technologist at MessageLabs, now owned by Symantec.

Since Sunday, the spam volume has risen to about 37 percent of what they were before McColo was unplugged, MessageLabs said.

McColo was hosting command and control servers that were being used to send instructions--like send spam or Trojans--to bot software that has been planted on PCs, mostly in the U.S., according to Sergeant. "With no work orders to process, the machines simply stopped spamming," he said.

Some of the botnets, with names like "Srizbi," "Asprox," "Rustock," and "Mega-D," are back up after connecting to different domains, Sergeant said. Some are connecting to ISPs outside the U.S., which will make it very difficult to shut them down again, he said.

"The problem now is that it was a lot easier to get a U.S.-based ISP shut down than it will be to get, for example, this Estonian ISP shut down," Sergeant said.

"We've stunted the spammers for a couple of weeks, which is a good thing for the Internet," he said. "We've increased their costs and, hopefully, that might put some spammers out of business."

Researchers are collaborating on the matter and providing information to U.S. law enforcement agencies, said Paul Ferguson, an advanced threat researcher at Trend Micro.

Some of the bots are programmed to connect to a new domain after a certain amount of time of inactivity, he said.

Researchers have been able to get some registrars to suspend some domains being used and have filed abuse complaints with some ISPs that appear to be unwitting hosts, Ferguson added.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Vulnerabilities & attacks

Tags:

spam,

trojans,

security,

ISPs,

McColo

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
Study: Data breaches rose in 2008
Fake celeb LinkedIn profiles lead to malware
Hackers hit MacRumors keynote coverage
Alarm systems at risk: UL establishes a higher security requirement for magnetic switches
Twitter phishing scam may be spreading
'Curse of silence' smartphone flaw disclosed
Defense contractors eye cybersecurity bonanza
Web browser flaw could put e-commerce security at risk
Add a Comment (Log in or register) 9 comments
by dargon19888 November 26, 2008 7:39 PM PST
While its easier to get a US based ISP shut down, you can always black hole an entire country like Estonia.
Reply to this comment
by jlsdev November 28, 2008 8:14 AM PST
Very much agreed yet, in reading a dozen or so related articles on this subject, I have yet to find any of the so-called 'journalists' supposedly 'reporting' on this subject who have done any research to uncover and reveal the ISPs, and their associated IP ranges, who are RESPONSIBLE for this 'revival' such that we can easily block them. As opposed to the ill-conceived, farcical notion that charging a penny per email would magically stop spammers that continues to resurface and reflects only a complete lack of understanding of how the Internet works, providing the Internet community with the information needed to completely block the ISPs who, either negligently or knowingly, support these operations would quickly get their attention and, once again, 'pull-the-plug' on these resurfacing botnets - No hosts => No net.
by Rustedbird November 28, 2008 9:50 AM PST
Not entirely farcical suggestion considering we are already paying something per email in that the ISP's overhead in maintaining an email service including cost of capital, maintenance. Why not make it up front?
by jlsdev November 28, 2008 11:01 AM PST
The 'farcical' I mentioned was in relation to the supposition that it would have any measurable effect on spam. As with anything else, criminals will find ways around these charges such that the only ones paying them would end up being the legitimate mailers and the spam would continue unabated. This has a great deal to do with the open nature of the fundamentals under which the Internet protocols overall, and SMTP in particular, were developed and which, without a massive, entire rewrite from the bottom up, with the associated cost and disruption, of which, we now have to live with. For example, there are 65,535 ports that can be used for various protocols on any Internet connected device and, along with those, a list of 'assigned port numbers' maintained by IANA, however, there is nothing whatsoever that restricts any protocol to its 'assigned' port. So, while the vast majority of SMTP servers operated by ISPs [which is where these per-email fees would supposedly be tallied] follow the 'rules' and 'listen' for incoming traffic on port 25, there is nothing whatsoever in place to prevent anyone from setting up an SMTP server to listen on any one [or more] of the remaining available ports for incoming mail and many of the trojan-infected computers that make up botnets already do this or communicate their SMTP traffic to some other renegade SMTP server, somewhere, that they have been programmed to know the IP address and 'non-standard' port of, that is doing so thus bypassing completely any per-email fees that would be charged it indeed they were. The obvious result of this is that only those legitimate emailers using legitimate SMTP servers would be subject to the fee, the ISPs would collect and pocket the money and the spammers would continue to have a 'field-day' for free. The only way around this would be to implement more-or-less 'deep packet inspection' on a worldwide basis [meaning every single ISP on the planet would have to agree, buy into and implement it] to detect and deal with, by whatever means, specific IP traffic types on a per-type basis on any port. The sad reality of this, as evidenced by the over 2000 Internet 'specifications' known as RFCs that already exist and can be and are ignored at will, is that there is virtually nothing in place to get everyone to agree to and follow much of anything, there is absolutely nothing in the way of enforcing it even if we could get everyone to agree and, lacking that, there's simply no way to make it happen that the spammers cannot easily devise and implement - in a very short time - a 'work-around' for.
by pauljweighell November 27, 2008 1:41 PM PST
frightening. i wish we had all charged 1c per email when the smtp system was set up - i know spammers would have used stolen card details but that would at least have been one more handle to track and erase them. for spam we must blame free email and suffer ....
Reply to this comment
by humanssssss November 28, 2008 2:51 AM PST
You are dumb. Why should a person sending out an email be charged $0.01? There's a logical fallacy here because the person sending out the email is paying to send the email based on the amount of bandwidth he paid for.

A better solution to the problem is that people only read emails that they deem worthy to them. Meaning, if the amount pay to read the email is not higher than a certain amount, you won't read it.

I personally don't read email from anybody when I don't like them. This includes the government.

Why do people insist on reading emails that hurt them? People shouldn't be dumb. If emails that make you mad, you don't read it. If you already read it, don't read it again. People aren't dumb. They know what is good for them and not good for them. There are some people who are very dumb, they just read every email.
by mcugaedu November 28, 2008 7:08 AM PST
That's exactly right. E-mail is not "free," the costs are just imposed on the wrong people. The reason there is spam is that the cost of transmitting e-mail is not imposed on the sender. Instead, the cost of e-mail is incurred mostly at the receiving end.

I think best approach to spammers would be more good old-fashioned law enforcement. Almost all of them are obviously violating existing laws against fraud, misrepresentation, illegal drug sales, etc., and if they're selling anything, it should be easy to make a purchase and follow the money trail.
by mcugaedu November 28, 2008 7:11 AM PST
...What I mean is that "pauljweighell" is exactly right. The accompanying comments from "humanssssss" do not make sense. How are people supposed to know what is in e-mail without reading it? And does "humanssssss" even know that it costs money to deliver e-mail -- costs that are incurred before the recipient reads it?
Reply to this comment
by Rustedbird November 28, 2008 7:38 AM PST
I was a network operator, not systems. But I only sat ten feet from that group. Just not reading spam doesn't work. Not if as a part of work that one is required to go through at least the subjects to weed em' out. It also puts an incredible load on the mail servers.

Maybe a penny an email might work, but if someone didn't secure their PC so it gets hijacked by a bot, that could be painful. Yeah, some places do black hole an entire country. Ar one time, we cut off the entire UK.

The best bet is to report the spam you get, practice commonsense stuff by never replying to it, to understand what is phish, and just be aware of scam. Also use an email client that can show the message as text and disable the HTML completely.

Don't open any attachments. Again, Do Not Open Attachments.

Sam Spade is an excellent tool for playing around with suspect emails.
Reply to this comment
advertisement

In the news now

Apple: DRM-free tunes, unibody MacBook Pro

roundup At Macworld, Phil Schiller touts 10 million songs sans DRM, plus 69-cent songs, a unibody 17-inch notebook, iLife updates, and more.


Countdown to CES

special coverage The tech community descends on Las Vegas as the Consumer Electronics Show gets ready to kick off in all its gadgety glory.


About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET