Spammers Trying To Regain Control Over Cut Off Spam Bots

from the the-battle-is-on dept

Wed, Nov 19th 2008 6:32pm — Mike Masnick

Last week, there was a lot of attention over the shutdown of McColo, a hosting company that was apparently used by a huge number of spammers to control some of the largest zombie botnets out there. While we were initially skeptical of just how big an impact this had (the press and some antispammers have "cried wolf" way too many times in the past on the impact of shutting down certain spam operations), the evidence in the days that followed suggested, indeed, that an awful lot of the world's spam was controlled via McColo. The Washington Post, which kicked off the shutdown by presenting evidence of McColo's spam connections to its upstream providers, is now digging deeper into how the whole operation worked.

Burying the lede a bit, the article notes that McColo actually came back online briefly this past weekend, and apparently spammers very quickly worked to transfer data to Russian servers while trying to update various botnets to take commands from those servers, rather than the cut off McColo servers. There's some speculation that McColo tried to time the reconnect to weekend hours when most working stiffs wouldn't notice. However, Swedish telco TeliaSonera, who provided the connection (thanks to an old agreement the two firms had) pulled the plug within hours of being notified.

It's also worth noting that McColo hasn't made any public statements since this whole situation came about, which certainly raises questions about how much the folks who ran the company knew about how their network was being used. Even though it sounds like spammers may not have been able to regain full control over their botnets, it seems likely that they did regain some control, and spam levels are likely to get back to where they were in rather short order.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: spam, spammers
Companies: mccolo

16 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

TEA-Time, 19 Nov 2008 @ 6:54pm

It's still looking pretty good up to this point!

http://www.spamcop.net/spamgraph.shtml?spammonth
[ link to this | view in thread ]
Anonymous Coward, 19 Nov 2008 @ 7:09pm

the relief is only temporary
Unless the vulnerable machines have been fixed.
[ link to this | view in thread ]
some old guy, 19 Nov 2008 @ 7:19pm

Re: the relief is only temporary
If the infected owners didnt notice their machines were zombies sending out millions of spams, what makes you think they would suddenly notice when they stop sending spam?
[ link to this | view in thread ]
robin, 19 Nov 2008 @ 7:45pm

uptime
i forget where, maybe wired?, i read it but it was stated that the mccolo operation was back up and running for a full twelve hours again before being shut down. that's a large chunk of time and data being transferred to russia to re-establish command and control. bummer
[ link to this | view in thread ]
Anonymous Coward, 19 Nov 2008 @ 9:01pm

Re: Re: the relief is only temporary
"If the infected owners didnt notice their machines were zombies sending out millions of spams, what makes you think they would suddenly notice when they stop sending spam?"

Nothing, and that was my point. It is only a matter of time before the botnet is back up to full strength.

And the spammers will probably incorporate a multi-homed control mechanism in order to avoid similar attacks.

So - basically it was all a waste of time.
[ link to this | view in thread ]
magscanner, 19 Nov 2008 @ 9:42pm

McColo, Ownership, Silence From
McColo is registered in Delaware, and the official location for the corporation there is actually SIMILEX, a company that provides incorporation-of-convenience services. You could look it up.

I suspect the registrants of record will just be dummy names, and the actual ownership is in Russia. Oddly enough, no one has seemed to want to look into this. Similex has their phone number on their website.
[ link to this | view in thread ]
Art, 20 Nov 2008 @ 4:40am

I don't buy it
The whole story doesn't fit with what I saw in my yahoo mail. I've had spamguard set to automatically delete all suspected spam for years, but about a month and a half ago I changed this so that spam actually went into my spam folder. Since I wasn't used to seeing spam messages there, and I manually emptied the folder each morning, I was accutely aware of how many new messages arrived each night.

The number was very consistently around 15 overnight and 10 more during the day. Then, during the 3-4 days prior to the story breaking, the number of spam emails dropped to only 2-3 overnight and only 3-4 more during the day. The day after the story broke though, while everyone was talking about the precipitous drop in spam volume they were seeing, I was already seeing normal spam levels. Within another day or two I was seeing 25 spams overnight and a similar number during the day.

Now, while everyone is still saying the thing isn't back to full strength, I'm seeing 30 spams overnight and I can't hardly refresh my email without finding a new one during the day. My level is now double what it was prior to the takedown. Something doesn't jive with the timeline, levels, and story.
[ link to this | view in thread ]
Richard Ahlquist (profile), 20 Nov 2008 @ 5:03am

Re: McColo, Ownership, Silence From
Oh come now, surely you jest! Why would anyone want to investigate a shady shell of a company with remote control of tens of thousands of security compromised systems? Why should anyone be concerned about that? Who's to say maybe this spam operation is funding terrorists? Then again maybe its funding the Easter bunny....
[ link to this | view in thread ]
Neil Schwartzman, 20 Nov 2008 @ 5:41am

Re: Re: the relief is only temporary
Because each individual machine does not SEND 'millions of spams', botnets have millions of machines sending mall amounts. Think distributed computing.
[ link to this | view in thread ]
Neil Schwartzman, 20 Nov 2008 @ 5:44am

Re: I don't buy it
Your anecdotal evidence of an individual account is too small a data-set. Numerous large receiving sites and DNSBLs have noted the attenuation.
[ link to this | view in thread ]
JustSaying, 20 Nov 2008 @ 6:37am

Re: I don't buy it
Your inbox isn't a good indicator. Yahoo already blocks spam and if they were already effective at blocking most spam you wouldn't see much of a change in your inbox. The change that was seen was by the people that actually block the spam. The amount of connections and attempts at delivery went way down. I certainly saw it here on our spam filter.

A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.

And the press is going to get away with it. That is a shame.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2008 @ 7:24am

I still get 100 spams a day, but with spam filters that gnail uses, they all go into the spam box and I delete them with 1 click.
[ link to this | view in thread ]
Zuke, 20 Nov 2008 @ 9:37am

My spam count has noticeably been down the past month for sure. Hooray!

Tell me again why spamming isn't punishable by the death penalty?
[ link to this | view in thread ]
mr206, 20 Nov 2008 @ 9:47am

Re: Re: I don't buy it
A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.

Very true. HE provides the upstream for several gray providers that allow affiliate and click marketers to buy and sell email addresses. HE doesn't accept SpamCop reports and they don't respond to email/calls... as long as they get their monthly payment, they don't give a sh*t. You can be assured the noly reason they severed ties was because of the press. Maybe more journalists like Brian @ the W.P. need to get on these guys..
[ link to this | view in thread ]
Basic Problem, 20 Nov 2008 @ 3:18pm

methodology
I just started using SpamCop, and it's gratifying, but the greatest proportion of my worst spam comes through IP's owned by one provider (Lunarpages.com) and they don't appear to take SpamCop reports -- the report always goes to dev/null. Now, the traditional anti-spam instruction pages always say, you have to contact the provider first -- but sometimes the provider is part of the spamming org and is all too happy to have your address, headers, etc. Especially when I get spam from one place over and over ("Alexander Global Media," anyone?) and they don't take SpamCop reports, I am not comfortable contacting them directly. SpamCop does anonymize the report, which I appreciate. But it doesn't have any effect on the provider, which I think is gray.

So I can safely report in ways that are inconsequential to them (Lunar...), or expose myself to possible risk in the course of trying to build a case strong enough for inclusion on, say, a MAPS blacklist. But I can't safely do anything of consequence.

Does anyone know of a solution to this dilemma? Why don't we have real cops out there -- not just the FTC, which is interested in fraud, etc., done through spam -- but for the spamming itself? If they're out there, I can't find them. So far. I know the law is weak, but even community cops that lead to shutdown would be better than this.
[ link to this | view in thread ]
Fred, 21 Nov 2008 @ 12:22pm

They'll be back!
I would be in 3 months it will be back to where it was or even worse. Personally, I have not noticed a drop off. Was just looking at my stats in SpamBUlly and seems just as much spam trying to hit me as before.
[ link to this | view in thread ]