Spammers Trying To Regain Control Over Cut Off Spam Bots

from the the-battle-is-on dept

Last week, there was a lot of attention over the shutdown of McColo, a hosting company that was apparently used by a huge number of spammers to control some of the largest zombie botnets out there. While we were initially skeptical of just how big an impact this had (the press and some antispammers have “cried wolf” way too many times in the past on the impact of shutting down certain spam operations), the evidence in the days that followed suggested, indeed, that an awful lot of the world’s spam was controlled via McColo. The Washington Post, which kicked off the shutdown by presenting evidence of McColo’s spam connections to its upstream providers, is now digging deeper into how the whole operation worked.

Burying the lede a bit, the article notes that McColo actually came back online briefly this past weekend, and apparently spammers very quickly worked to transfer data to Russian servers while trying to update various botnets to take commands from those servers, rather than the cut off McColo servers. There’s some speculation that McColo tried to time the reconnect to weekend hours when most working stiffs wouldn’t notice. However, Swedish telco TeliaSonera, who provided the connection (thanks to an old agreement the two firms had) pulled the plug within hours of being notified.

It’s also worth noting that McColo hasn’t made any public statements since this whole situation came about, which certainly raises questions about how much the folks who ran the company knew about how their network was being used. Even though it sounds like spammers may not have been able to regain full control over their botnets, it seems likely that they did regain some control, and spam levels are likely to get back to where they were in rather short order.

Filed Under: ,
Companies: mccolo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Spammers Trying To Regain Control Over Cut Off Spam Bots”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: the relief is only temporary

“If the infected owners didnt notice their machines were zombies sending out millions of spams, what makes you think they would suddenly notice when they stop sending spam?”

Nothing, and that was my point. It is only a matter of time before the botnet is back up to full strength.

And the spammers will probably incorporate a multi-homed control mechanism in order to avoid similar attacks.

So – basically it was all a waste of time.

magscanner (profile) says:

McColo, Ownership, Silence From

McColo is registered in Delaware, and the official location for the corporation there is actually SIMILEX, a company that provides incorporation-of-convenience services. You could look it up.

I suspect the registrants of record will just be dummy names, and the actual ownership is in Russia. Oddly enough, no one has seemed to want to look into this. Similex has their phone number on their website.

Richard Ahlquist (profile) says:

Re: McColo, Ownership, Silence From

Oh come now, surely you jest! Why would anyone want to investigate a shady shell of a company with remote control of tens of thousands of security compromised systems? Why should anyone be concerned about that? Who’s to say maybe this spam operation is funding terrorists? Then again maybe its funding the Easter bunny….

Art says:

I don't buy it

The whole story doesn’t fit with what I saw in my yahoo mail. I’ve had spamguard set to automatically delete all suspected spam for years, but about a month and a half ago I changed this so that spam actually went into my spam folder. Since I wasn’t used to seeing spam messages there, and I manually emptied the folder each morning, I was accutely aware of how many new messages arrived each night.

The number was very consistently around 15 overnight and 10 more during the day. Then, during the 3-4 days prior to the story breaking, the number of spam emails dropped to only 2-3 overnight and only 3-4 more during the day. The day after the story broke though, while everyone was talking about the precipitous drop in spam volume they were seeing, I was already seeing normal spam levels. Within another day or two I was seeing 25 spams overnight and a similar number during the day.

Now, while everyone is still saying the thing isn’t back to full strength, I’m seeing 30 spams overnight and I can’t hardly refresh my email without finding a new one during the day. My level is now double what it was prior to the takedown. Something doesn’t jive with the timeline, levels, and story.

JustSaying says:

Re: I don't buy it

Your inbox isn’t a good indicator. Yahoo already blocks spam and if they were already effective at blocking most spam you wouldn’t see much of a change in your inbox. The change that was seen was by the people that actually block the spam. The amount of connections and attempts at delivery went way down. I certainly saw it here on our spam filter.

A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.

And the press is going to get away with it. That is a shame.

mr206 says:

Re: Re: I don't buy it

A side note, there is no way that Global Crossing and Hurricane Electric did not know that McColo was doing this. They just ignored it and cashed the checks until it became a Newspaper/PR issue.

Very true. HE provides the upstream for several gray providers that allow affiliate and click marketers to buy and sell email addresses. HE doesn’t accept SpamCop reports and they don’t respond to email/calls… as long as they get their monthly payment, they don’t give a sh*t. You can be assured the noly reason they severed ties was because of the press. Maybe more journalists like Brian @ the W.P. need to get on these guys..

Basic Problem says:


I just started using SpamCop, and it’s gratifying, but the greatest proportion of my worst spam comes through IP’s owned by one provider ( and they don’t appear to take SpamCop reports — the report always goes to dev/null. Now, the traditional anti-spam instruction pages always say, you have to contact the provider first — but sometimes the provider is part of the spamming org and is all too happy to have your address, headers, etc. Especially when I get spam from one place over and over (“Alexander Global Media,” anyone?) and they don’t take SpamCop reports, I am not comfortable contacting them directly. SpamCop does anonymize the report, which I appreciate. But it doesn’t have any effect on the provider, which I think is gray.

So I can safely report in ways that are inconsequential to them (Lunar…), or expose myself to possible risk in the course of trying to build a case strong enough for inclusion on, say, a MAPS blacklist. But I can’t safely do anything of consequence.

Does anyone know of a solution to this dilemma? Why don’t we have real cops out there — not just the FTC, which is interested in fraud, etc., done through spam — but for the spamming itself? If they’re out there, I can’t find them. So far. I know the law is weak, but even community cops that lead to shutdown would be better than this.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...