Spammers Trying To Regain Control Over Cut Off Spam Bots
from the the-battle-is-on dept
Last week, there was a lot of attention over the shutdown of McColo, a hosting company that was apparently used by a huge number of spammers to control some of the largest zombie botnets out there. While we were initially skeptical of just how big an impact this had (the press and some antispammers have “cried wolf” way too many times in the past on the impact of shutting down certain spam operations), the evidence in the days that followed suggested, indeed, that an awful lot of the world’s spam was controlled via McColo. The Washington Post, which kicked off the shutdown by presenting evidence of McColo’s spam connections to its upstream providers, is now digging deeper into how the whole operation worked.
Burying the lede a bit, the article notes that McColo actually came back online briefly this past weekend, and apparently spammers very quickly worked to transfer data to Russian servers while trying to update various botnets to take commands from those servers, rather than the cut off McColo servers. There’s some speculation that McColo tried to time the reconnect to weekend hours when most working stiffs wouldn’t notice. However, Swedish telco TeliaSonera, who provided the connection (thanks to an old agreement the two firms had) pulled the plug within hours of being notified.
It’s also worth noting that McColo hasn’t made any public statements since this whole situation came about, which certainly raises questions about how much the folks who ran the company knew about how their network was being used. Even though it sounds like spammers may not have been able to regain full control over their botnets, it seems likely that they did regain some control, and spam levels are likely to get back to where they were in rather short order.
Comments on “Spammers Trying To Regain Control Over Cut Off Spam Bots”
It’s still looking pretty good up to this point!
http://www.spamcop.net/spamgraph.shtml?spammonth
the relief is only temporary
Unless the vulnerable machines have been fixed.
Re: the relief is only temporary
If the infected owners didnt notice their machines were zombies sending out millions of spams, what makes you think they would suddenly notice when they stop sending spam?
Re: Re: the relief is only temporary
“If the infected owners didnt notice their machines were zombies sending out millions of spams, what makes you think they would suddenly notice when they stop sending spam?”
Nothing, and that was my point. It is only a matter of time before the botnet is back up to full strength.
And the spammers will probably incorporate a multi-homed control mechanism in order to avoid similar attacks.
So – basically it was all a waste of time.
Re: Re: the relief is only temporary
Because each individual machine does not SEND ‘millions of spams’, botnets have millions of machines sending mall amounts. Think distributed computing.
uptime
i forget where, maybe wired?, i read it but it was stated that the mccolo operation was back up and running for a full twelve hours again before being shut down. that’s a large chunk of time and data being transferred to russia to re-establish command and control. bummer
McColo, Ownership, Silence From
McColo is registered in Delaware, and the official location for the corporation there is actually SIMILEX, a company that provides incorporation-of-convenience services. You could look it up.
I suspect the registrants of record will just be dummy names, and the actual ownership is in Russia. Oddly enough, no one has seemed to want to look into this. Similex has their phone number on their website.
Re: McColo, Ownership, Silence From
Oh come now, surely you jest! Why would anyone want to investigate a shady shell of a company with remote control of tens of thousands of security compromised systems? Why should anyone be concerned about that? Who’s to say maybe this spam operation is funding terrorists? Then again maybe its funding the Easter bunny….
I don't buy it
The whole story doesn’t fit with what I saw in my yahoo mail. I’ve had spamguard set to automatically delete all suspected spam for years, but about a month and a half ago I changed this so that spam actually went into my spam folder. Since I wasn’t used to seeing spam messages there, and I manually emptied the folder each morning, I was accutely aware of how many new messages arrived each night.
The number was very consistently around 15 overnight and 10 more during the day. Then, during the 3-4 days prior to the story breaking, the number of spam emails dropped to only 2-3 overnight and only 3-4 more during the day. The day after the story broke though, while everyone was talking about the precipitous drop in spam volume they were seeing, I was already seeing normal spam levels. Within another day or two I was seeing 25 spams overnight and a similar number during the day.
Now, while everyone is still saying the thing isn’t back to full strength, I’m seeing 30 spams overnight and I can’t hardly refresh my email without finding a new one during the day. My level is now double what it was prior to the takedown. Something doesn’t jive with the timeline, levels, and story.
Re: I don't buy it
Your anecdotal evidence of an individual account is too small a data-set. Numerous large receiving sites and DNSBLs have noted the attenuation.
Re: I don't buy it
Your inbox isn’t a good indicator. Yahoo already blocks spam and if they were already effective at blocking most spam you wouldn’t see much of a change in your inbox. The change that was seen was by the people that actually block the spam. The amount of connections and attempts at delivery went way down. I certainly saw it here on our spam filter.
A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.
And the press is going to get away with it. That is a shame.
Re: Re: I don't buy it
A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.
Very true. HE provides the upstream for several gray providers that allow affiliate and click marketers to buy and sell email addresses. HE doesn’t accept SpamCop reports and they don’t respond to email/calls… as long as they get their monthly payment, they don’t give a sh*t. You can be assured the noly reason they severed ties was because of the press. Maybe more journalists like Brian @ the W.P. need to get on these guys..
I still get 100 spams a day, but with spam filters that gnail uses, they all go into the spam box and I delete them with 1 click.
My spam count has noticeably been down the past month for sure. Hooray!
Tell me again why spamming isn’t punishable by the death penalty?
methodology
I just started using SpamCop, and it’s gratifying, but the greatest proportion of my worst spam comes through IP’s owned by one provider (Lunarpages.com) and they don’t appear to take SpamCop reports — the report always goes to dev/null. Now, the traditional anti-spam instruction pages always say, you have to contact the provider first — but sometimes the provider is part of the spamming org and is all too happy to have your address, headers, etc. Especially when I get spam from one place over and over (“Alexander Global Media,” anyone?) and they don’t take SpamCop reports, I am not comfortable contacting them directly. SpamCop does anonymize the report, which I appreciate. But it doesn’t have any effect on the provider, which I think is gray.
So I can safely report in ways that are inconsequential to them (Lunar…), or expose myself to possible risk in the course of trying to build a case strong enough for inclusion on, say, a MAPS blacklist. But I can’t safely do anything of consequence.
Does anyone know of a solution to this dilemma? Why don’t we have real cops out there — not just the FTC, which is interested in fraud, etc., done through spam — but for the spamming itself? If they’re out there, I can’t find them. So far. I know the law is weak, but even community cops that lead to shutdown would be better than this.
They'll be back!
I would be in 3 months it will be back to where it was or even worse. Personally, I have not noticed a drop off. Was just looking at my stats in SpamBUlly and seems just as much spam trying to hit me as before.