Web Host of Groups That Traffic Spam Kicked Offline

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, November 13, 2008

The volume of junk e-mail sent worldwide may have dropped drastically yesterday after a Web-hosting firm, identified by many in the computer security community as a major host of organizations engaged in spam activity, was taken offline.

McColo, a San Jose Web-hosting company that, according to computer security experts, serves as a U.S. staging ground for international firms that sell a variety of items, including counterfeit pharmaceuticals and child pornography, ceased operations after two Internet providers blocked Web access.

SecureWorks, an Atlanta security-services provider, estimates that McColo was responsible for 75 percent of all spam sent in the United States each day.

Global Crossing, a Bermuda company with U.S. operations in New Jersey and one of the two companies that provided Internet access to McColo, would not say why it cut off the company, but said Global Crossing's policy prohibits "malicious activity."

Benny Ng, director of marketing for Hurricane Electric, a Fremont, Calif., company that served as McColo's other Internet provider, said it decided to block the host firm after reading about allegations against McColo.

"We shut them down," Ng said. "We looked into it a bit, saw the size and scope of the problem . . . Within the hour, we had terminated all of our connections to them."

McColo officials did not respond to several e-mails, phone calls and instant messages.

Paul Ferguson, a threat researcher with computer security firm Trend Micro, said that despite the actions by McColo's Internet providers, U.S. authorities should have been looking into the company and its customers for a long time.

"There is damning evidence that this activity has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network," Ferguson said. "It's a statement on the inefficiencies of trying to pursue legal prosecution of these guys that it takes so long for anything to be done about it."

It is unclear the extent to which McColo could be held responsible for the activities of the clients for whom it provides hosting services. It is also unclear what, if any action U.S. law enforcement has taken regarding McColo. A spokesman for the FBI, which investigates cyber crimes, declined to comment.

Mark Rasch, a former cyber-crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, said Web-hosting providers generally are not liable for illegal activity carried out on their networks except in cases involving copyright violations and child pornography.

In 2001, BuffNET, a large regional service provider in Buffalo, pleaded guilty to knowingly providing access to child pornography because the company failed to remove the Web pages after being alerted to the material.

"It's a little bit like a landlord who owns a building and sees people coming in and out of the apartment complex constantly at all hours," Rasch said. "There are certain things that raise red flags, such as the nature, volume, source and destination of the Internet traffic, that can and should raise red flags."

A number of security researchers have published reports over the past year alleging that McColo hosts the top "botnets," or vast collections of hacked computers networked together, to blast out spam or attack others online.

Joe Stewart, director of malware research for SecureWorks, said botnets such as "Mega-D" or "Srizbi," which are known to send e-mails about access to prescription drugs, have had their master servers hosted at McColo.

Although security experts who have been seeking to stop McColo from allegedly hosting questionable sites are pleased to see the company lose its access, some are worried that it will only make it harder to track illegal activity.

"Everything will just be more spread out and harder to mitigate," Stewart said. "We rather like knowing where the bad activity is coming from, so protecting our networks is easier."

© 2008 The Washington Post Company