Computer Crime Research Center


Answers Trickle Out as Spammer Networks Remain Compromised

Date: November 19, 2008

At about 4:30 p.m. Eastern time last Tuesday, the volume of junk e-mail arriving at inboxes around the world suddenly plummeted by about 65 percent. Confronted with information that one Silicon Valley computer firm was hosting organizations that controlled the distribution of much of the world's spam, Internet service providers pulled the plug and McColo Corp., the hosting firm, went dark.

By most accounts, the volume of spam has remained at far diminished levels, though experts say they expect spam to soon bounce back, or even exceed previous levels. But the question remains: How could such a massive concentration of spam activity be hosted for so long by servers at a single U.S.-based facility, in the belly of the security and tech community in Silicon Valley?

The answer exemplifies how complex the battle against spam has become.

Like other hosting firms, McColo -- which has not been charged with any crime -- assigns certain Internet addresses for its clients' computers to use. But spam often does not come directly from those computers, according to security experts who have documented the activity. Rather, firms such as McColo host a number of key Internet servers -- computers that control networks of computers. Those networks are used by their respective owners to turn hundreds of thousands of compromised PCs into spam distributors, the experts said.

According to security service providers including the Atlanta-based SecureWorks, some of the largest collections of hacked PCs, known as robot networks or "botnets," may have had their master control servers hosted at McColo. McColo officials did not respond to requests for comment.

Botnets typically are rented out to junk e-mail purveyors. The spammers then sign in remotely to control servers and use them to send billions of e-mails a day, touting everything from knock-off pharmaceuticals and designer goods to pornography and get-rich-quick scams.

But when McColo was taken offline by its Internet providers, so too were all of the botnet control servers located there, security experts said.

Joe Stewart, director of malware research for SecureWorks, said some botnets might remain disconnected. The three largest spam botnets on the Internet appear to be stranded and unable to contact more than a small number of their control servers, according to Marshal, a computer security firm in the United Kingdom that tracks bot activity.

The shutting down of McColo may have also slowed one of the most aggressive e-mail-address harvesting services, anti-spam groups said. Matthew Prince, chief executive of Unspam Technologies and founder of Project Honey Pot, a collaborative effort that gathers intelligence about the world's largest spam networks, said that since June 2006, crawler bots hosted at McColo were responsible for more than 30 million spam messages sent to the project's e-mail traps.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo