Spammers Trying To Regain Control Over Cut Off Spam Bots
from the the-battle-is-on dept
Last week, there was a lot of attention over the shutdown of McColo, a hosting company that was apparently used by a huge number of spammers to control some of the largest zombie botnets out there. While we were initially skeptical of just how big an impact this had (the press and some antispammers have "cried wolf" way too many times in the past on the impact of shutting down certain spam operations), the evidence in the days that followed suggested, indeed, that an awful lot of the world's spam was controlled via McColo. The Washington Post, which kicked off the shutdown by presenting evidence of McColo's spam connections to its upstream providers, is now digging deeper into how the whole operation worked.Burying the lede a bit, the article notes that McColo actually came back online briefly this past weekend, and apparently spammers very quickly worked to transfer data to Russian servers while trying to update various botnets to take commands from those servers, rather than the cut off McColo servers. There's some speculation that McColo tried to time the reconnect to weekend hours when most working stiffs wouldn't notice. However, Swedish telco TeliaSonera, who provided the connection (thanks to an old agreement the two firms had) pulled the plug within hours of being notified.
It's also worth noting that McColo hasn't made any public statements since this whole situation came about, which certainly raises questions about how much the folks who ran the company knew about how their network was being used. Even though it sounds like spammers may not have been able to regain full control over their botnets, it seems likely that they did regain some control, and spam levels are likely to get back to where they were in rather short order.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
http://www.spamcop.net/spamgraph.shtml?spammonth
[ link to this | view in chronology ]
the relief is only temporary
[ link to this | view in chronology ]
Re: the relief is only temporary
[ link to this | view in chronology ]
Re: Re: the relief is only temporary
Nothing, and that was my point. It is only a matter of time before the botnet is back up to full strength.
And the spammers will probably incorporate a multi-homed control mechanism in order to avoid similar attacks.
So - basically it was all a waste of time.
[ link to this | view in chronology ]
Re: Re: the relief is only temporary
[ link to this | view in chronology ]
uptime
[ link to this | view in chronology ]
McColo, Ownership, Silence From
I suspect the registrants of record will just be dummy names, and the actual ownership is in Russia. Oddly enough, no one has seemed to want to look into this. Similex has their phone number on their website.
[ link to this | view in chronology ]
Re: McColo, Ownership, Silence From
[ link to this | view in chronology ]
I don't buy it
The number was very consistently around 15 overnight and 10 more during the day. Then, during the 3-4 days prior to the story breaking, the number of spam emails dropped to only 2-3 overnight and only 3-4 more during the day. The day after the story broke though, while everyone was talking about the precipitous drop in spam volume they were seeing, I was already seeing normal spam levels. Within another day or two I was seeing 25 spams overnight and a similar number during the day.
Now, while everyone is still saying the thing isn't back to full strength, I'm seeing 30 spams overnight and I can't hardly refresh my email without finding a new one during the day. My level is now double what it was prior to the takedown. Something doesn't jive with the timeline, levels, and story.
[ link to this | view in chronology ]
Re: I don't buy it
[ link to this | view in chronology ]
Re: I don't buy it
A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.
And the press is going to get away with it. That is a shame.
[ link to this | view in chronology ]
Re: Re: I don't buy it
Very true. HE provides the upstream for several gray providers that allow affiliate and click marketers to buy and sell email addresses. HE doesn't accept SpamCop reports and they don't respond to email/calls... as long as they get their monthly payment, they don't give a sh*t. You can be assured the noly reason they severed ties was because of the press. Maybe more journalists like Brian @ the W.P. need to get on these guys..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Tell me again why spamming isn't punishable by the death penalty?
[ link to this | view in chronology ]
methodology
So I can safely report in ways that are inconsequential to them (Lunar...), or expose myself to possible risk in the course of trying to build a case strong enough for inclusion on, say, a MAPS blacklist. But I can't safely do anything of consequence.
Does anyone know of a solution to this dilemma? Why don't we have real cops out there -- not just the FTC, which is interested in fraud, etc., done through spam -- but for the spamming itself? If they're out there, I can't find them. So far. I know the law is weak, but even community cops that lead to shutdown would be better than this.
[ link to this | view in chronology ]
They'll be back!
[ link to this | view in chronology ]