Clarification to This Article
This story was updated from an earlier version to clarify McColo's role in hosting of suspicious sites.
Page 2 of 3   <       >

Host of Internet Spam Groups Is Cut Off

Benny Ng, director of marketing for Hurricane Electric, a Fremont, Calif., company that was the other major Internet provider for McColo, took a much stronger public stance, upon receiving information about this investigation from

We shut them down," Ng said. "We looked into it a bit, saw the size and scope of the problem [ was] reporting and said 'Holy cow!' Within the hour we had terminated all of our connections to them."

Paul Ferguson, a threat researcher with computer security firm Trend Micro, said despite the apparently unilateral actions by McColo's Internet providers, his opinion is that U.S. authorities should have been examining McColo and its customers for a long time.

"There is damning evidence that [McColo's] activity (allegedly hosting purveyors of spam) has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network, but nobody seems to care," Ferguson said."

Multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online. These include SecureWorks, FireEye and ThreatExpert.

Reports by Joe Stewart, director of malware research for Atlanta-based SecureWorks, said that these known botnets: Mega-D, Srizbi, Pushdo, Rustock and Warezov, "have their master servers hosted at McColo.

Stewart said he has complained to McColo several times about botnets operating out of the company's servers, and each time, he said, the company claimed it was addressing the problem. But according to Stewart, they did so by just moving the offending Web sites to a different section of their network.

"McColo runs a service that offers its clients quite a bit more protection from takedowns than the average Web host," Stewart said. "If they get abuse complaints they will try to appease whoever is complaining, but the end result is usually they just end up moving their Internet addresses around."

Collectively, these botnets appear to be responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity.

Vincent Hanna, a researcher for the anti-spam group, said Spamhaus sees roughly 1.5 million computers infected with either Srizbi or Rustock sending spam over an average one-week timeframe.

Hanna said McColo has for years hosted botnet and other suspicious activity, and that it has a reputation as one of the most dependable players in the so-called "bulletproof hosting" business, which are Web servers that will remain online regardless of complaints.

"These are serious issues, almost all relating to the very core of spammer infrastructure," he said.

<       2        >

© 2008 The Washington Post Company