Spammers Trying To Regain Control Over Cut Off Spam Bots

from the the-battle-is-on dept

Last week, there was a lot of attention over the shutdown of McColo, a hosting company that was apparently used by a huge number of spammers to control some of the largest zombie botnets out there. While we were initially skeptical of just how big an impact this had (the press and some antispammers have "cried wolf" way too many times in the past on the impact of shutting down certain spam operations), the evidence in the days that followed suggested, indeed, that an awful lot of the world's spam was controlled via McColo. The Washington Post, which kicked off the shutdown by presenting evidence of McColo's spam connections to its upstream providers, is now digging deeper into how the whole operation worked.

Burying the lede a bit, the article notes that McColo actually came back online briefly this past weekend, and apparently spammers very quickly worked to transfer data to Russian servers while trying to update various botnets to take commands from those servers, rather than the cut off McColo servers. There's some speculation that McColo tried to time the reconnect to weekend hours when most working stiffs wouldn't notice. However, Swedish telco TeliaSonera, who provided the connection (thanks to an old agreement the two firms had) pulled the plug within hours of being notified.

It's also worth noting that McColo hasn't made any public statements since this whole situation came about, which certainly raises questions about how much the folks who ran the company knew about how their network was being used. Even though it sounds like spammers may not have been able to regain full control over their botnets, it seems likely that they did regain some control, and spam levels are likely to get back to where they were in rather short order.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    TEA-Time, Nov 19th, 2008 @ 6:54pm

    It's still looking pretty good up to this point!

    http://www.spamcop.net/spamgraph.shtml?spammonth

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Nov 19th, 2008 @ 7:09pm

    the relief is only temporary

    Unless the vulnerable machines have been fixed.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    some old guy, Nov 19th, 2008 @ 7:19pm

    Re: the relief is only temporary

    If the infected owners didnt notice their machines were zombies sending out millions of spams, what makes you think they would suddenly notice when they stop sending spam?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    robin, Nov 19th, 2008 @ 7:45pm

    uptime

    i forget where, maybe wired?, i read it but it was stated that the mccolo operation was back up and running for a full twelve hours again before being shut down. that's a large chunk of time and data being transferred to russia to re-establish command and control. bummer

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Nov 19th, 2008 @ 9:01pm

    Re: Re: the relief is only temporary

    "If the infected owners didnt notice their machines were zombies sending out millions of spams, what makes you think they would suddenly notice when they stop sending spam?"


    Nothing, and that was my point. It is only a matter of time before the botnet is back up to full strength.

    And the spammers will probably incorporate a multi-homed control mechanism in order to avoid similar attacks.

    So - basically it was all a waste of time.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    magscanner, Nov 19th, 2008 @ 9:42pm

    McColo, Ownership, Silence From

    McColo is registered in Delaware, and the official location for the corporation there is actually SIMILEX, a company that provides incorporation-of-convenience services. You could look it up.

    I suspect the registrants of record will just be dummy names, and the actual ownership is in Russia. Oddly enough, no one has seemed to want to look into this. Similex has their phone number on their website.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Art, Nov 20th, 2008 @ 4:40am

    I don't buy it

    The whole story doesn't fit with what I saw in my yahoo mail. I've had spamguard set to automatically delete all suspected spam for years, but about a month and a half ago I changed this so that spam actually went into my spam folder. Since I wasn't used to seeing spam messages there, and I manually emptied the folder each morning, I was accutely aware of how many new messages arrived each night.

    The number was very consistently around 15 overnight and 10 more during the day. Then, during the 3-4 days prior to the story breaking, the number of spam emails dropped to only 2-3 overnight and only 3-4 more during the day. The day after the story broke though, while everyone was talking about the precipitous drop in spam volume they were seeing, I was already seeing normal spam levels. Within another day or two I was seeing 25 spams overnight and a similar number during the day.

    Now, while everyone is still saying the thing isn't back to full strength, I'm seeing 30 spams overnight and I can't hardly refresh my email without finding a new one during the day. My level is now double what it was prior to the takedown. Something doesn't jive with the timeline, levels, and story.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Richard Ahlquist (profile), Nov 20th, 2008 @ 5:03am

    Re: McColo, Ownership, Silence From

    Oh come now, surely you jest! Why would anyone want to investigate a shady shell of a company with remote control of tens of thousands of security compromised systems? Why should anyone be concerned about that? Who's to say maybe this spam operation is funding terrorists? Then again maybe its funding the Easter bunny....

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Neil Schwartzman, Nov 20th, 2008 @ 5:41am

    Re: Re: the relief is only temporary

    Because each individual machine does not SEND 'millions of spams', botnets have millions of machines sending mall amounts. Think distributed computing.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Neil Schwartzman, Nov 20th, 2008 @ 5:44am

    Re: I don't buy it

    Your anecdotal evidence of an individual account is too small a data-set. Numerous large receiving sites and DNSBLs have noted the attenuation.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    JustSaying, Nov 20th, 2008 @ 6:37am

    Re: I don't buy it

    Your inbox isn't a good indicator. Yahoo already blocks spam and if they were already effective at blocking most spam you wouldn't see much of a change in your inbox. The change that was seen was by the people that actually block the spam. The amount of connections and attempts at delivery went way down. I certainly saw it here on our spam filter.

    A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.

    And the press is going to get away with it. That is a shame.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Nov 20th, 2008 @ 7:24am

    I still get 100 spams a day, but with spam filters that gnail uses, they all go into the spam box and I delete them with 1 click.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Zuke, Nov 20th, 2008 @ 9:37am

    My spam count has noticeably been down the past month for sure. Hooray!

    Tell me again why spamming isn't punishable by the death penalty?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    mr206, Nov 20th, 2008 @ 9:47am

    Re: Re: I don't buy it

    A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.


    Very true. HE provides the upstream for several gray providers that allow affiliate and click marketers to buy and sell email addresses. HE doesn't accept SpamCop reports and they don't respond to email/calls... as long as they get their monthly payment, they don't give a sh*t. You can be assured the noly reason they severed ties was because of the press. Maybe more journalists like Brian @ the W.P. need to get on these guys..

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Basic Problem, Nov 20th, 2008 @ 3:18pm

    methodology

    I just started using SpamCop, and it's gratifying, but the greatest proportion of my worst spam comes through IP's owned by one provider (Lunarpages.com) and they don't appear to take SpamCop reports -- the report always goes to dev/null. Now, the traditional anti-spam instruction pages always say, you have to contact the provider first -- but sometimes the provider is part of the spamming org and is all too happy to have your address, headers, etc. Especially when I get spam from one place over and over ("Alexander Global Media," anyone?) and they don't take SpamCop reports, I am not comfortable contacting them directly. SpamCop does anonymize the report, which I appreciate. But it doesn't have any effect on the provider, which I think is gray.

    So I can safely report in ways that are inconsequential to them (Lunar...), or expose myself to possible risk in the course of trying to build a case strong enough for inclusion on, say, a MAPS blacklist. But I can't safely do anything of consequence.

    Does anyone know of a solution to this dilemma? Why don't we have real cops out there -- not just the FTC, which is interested in fraud, etc., done through spam -- but for the spamming itself? If they're out there, I can't find them. So far. I know the law is weak, but even community cops that lead to shutdown would be better than this.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Fred, Nov 21st, 2008 @ 12:22pm

    They'll be back!

    I would be in 3 months it will be back to where it was or even worse. Personally, I have not noticed a drop off. Was just looking at my stats in SpamBUlly and seems just as much spam trying to hit me as before.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This