How does the total amount of spam drop by 50 percent in one fell swoop? To help explain, I refer you to Brian Krebs’ (Washington Post) article “Host of Internet Spam Groups Is Cut Off,” where he gives a high-level account of what caused the dramatic decrease in delivered spam. Krebs wrote a follow-up piece, “A Closer Look at McColo,” that goes into specific details, and needless to say it’s pretty amazing.

McColo reportedly just a conduit

Several sources have stated that McColo Corp is the major North American host for international firms that control millions of subverted computers. Reportedly, these botnets are used to deliver spam focused on selling pharmaceuticals, designer goods, fake security documents, and worse things.

Krebs even gets specific about the activity at McColo by quoting security expert Joe Stewart (whom I have a great deal of respect for) of SecureWorks in his second article:

“The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that were used by some of the most active and notorious spam-spewing botnets–agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world’s spam on any given day. In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo.”

The above quote refers to the following diagram (courtesy of Brian Krebs and the Washington Post)

Details of McColo’s involvement

Security experts aren’t surprised, because they have known about McColo’s involvement with botnets and spam for years. In fact, McColo has quite a solid reputation for reliably supporting command-and-control servers for several of the most prolific botnets in history. Once again, Brian Krebs brings this into perspective:

“Multiple security researchers have recently published data, naming McColo as the host for all of the top robot networks or “botnets,” These include SecureWorks, FireEye and ThreatExpert.

Joe Stewart (SecureWorks) said that these known botnets: Mega-D, Srizbi, Pushdo, Rustock and Warezov, have their master servers hosted at McColo.”

What happened?

In what I would consider unique circumstances, Global Crossing and Hurricane Electric, the two ISPs providing Internet access for McColo, took it upon themselves to sever all connections to the facility. What happened after that was dramatic to say the least. Check out the following graph (courtesy of SpamCop); I’ll let you decide if this graph is more dramatic than those depicting Wall Street’s performance over the past few months:

What makes this situation rather unique is the response by the ISPs. It wasn’t motivated by legal action, but due largely to Brian Krebs and other experts bringing it to the attention of businesses and the general public. Along with Krebs’ articles, many credit’s second annual Cyber Crime report (focused heavily on the activities at McColo) as incentive enough for the ISPs to shut down McColo. One of the ISPs, Global Crossing, declined to discuss the matter, but Krebs was able to get the following quote from Benny Ng, director of marketing for Hurricane Electric:

“We shut them down. We looked into it a bit, saw the size and scope of the problem the was reporting and said ‘Holy cow!’ Within the hour we had terminated all of our connections to them.”

No legal involvement

As I pointed out earlier, there’s no legal activity being publicly acknowledged at this time. One can sense the lack of precedence, and Krebs makes mention of this fact as well:

“Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.

Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C., said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography.”

Simply amazed

This is my first encounter with what it actually means to shut down a command-and-control center for several high-volume spam botnets. It feels like a victory for the good guys. Yet it’s actually just a drop in the bucket, when one looks at the overall picture. I’ll let Nilesh Bhandari, product manager with IronPort explain:

“IronPort sees an average of about 190 billion spam e-mails each day. Then, at around 4:30 p.m. ET yesterday (when McColo was shut down), IronPort saw a huge decline in spam levels. For the 24 hour period ending Tuesday, the company tracked about 112 billion spam messages.”

Gee, only 112 billion spam messages a day.

Final thoughts

Most experts agreed that this victory was going to be a short-lived one. Prophetically, as of Nov. 15, 2008, McColo was back on-line. Ironically, experts are divided about this. Some were concerned that shutting McColo down would force the bot-masters to locate the command-and-control servers at multiple hosting sites, making them harder to track. It sounds like the experts know about Sun Tzu and his quote “Keep your friends close and your enemies closer.”

Finally, I’m still trying to comprehend the fact that shutting down one command-and-control facility eliminated 78 billion spam messages per day.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!