Answers Trickle Out as Spammer Networks Remain Compromised
Wednesday, November 19, 2008
At about 4:30 p.m. Eastern time last Tuesday, the volume of junk e-mail arriving at inboxes around the world suddenly plummeted by about 65 percent. Confronted with information that one Silicon Valley computer firm was hosting organizations that controlled the distribution of much of the world's spam, Internet service providers pulled the plug and McColo Corp., the hosting firm, went dark.
By most accounts, the volume of spam has remained at far diminished levels, though experts say they expect spam to soon bounce back, or even exceed previous levels. But the question remains: How could such a massive concentration of spam activity be hosted for so long by servers at a single U.S.-based facility, in the belly of the security and tech community in Silicon Valley?
The answer exemplifies how complex the battle against spam has become.
Like other hosting firms, McColo -- which has not been charged with any crime -- assigns certain Internet addresses for its clients' computers to use. But spam often does not come directly from those computers, according to security experts who have documented the activity. Rather, firms such as McColo host a number of key Internet servers -- computers that control networks of computers. Those networks are used by their respective owners to turn hundreds of thousands of compromised PCs into spam distributors, the experts said.
According to security service providers including the Atlanta-based SecureWorks, some of the largest collections of hacked PCs, known as robot networks or "botnets," may have had their master control servers hosted at McColo. McColo officials did not respond to requests for comment.
Botnets typically are rented out to junk e-mail purveyors. The spammers then sign in remotely to control servers and use them to send billions of e-mails a day, touting everything from knock-off pharmaceuticals and designer goods to pornography and get-rich-quick scams.
But when McColo was taken offline by its Internet providers, so too were all of the botnet control servers located there, security experts said.
Joe Stewart, director of malware research for SecureWorks, said some botnets might remain disconnected. The three largest spam botnets on the Internet appear to be stranded and unable to contact more than a small number of their control servers, according to Marshal, a computer security firm in the United Kingdom that tracks bot activity.
The shutting down of McColo may have also slowed one of the most aggressive e-mail-address harvesting services, anti-spam groups said. Matthew Prince, chief executive of Unspam Technologies and founder of Project Honey Pot, a collaborative effort that gathers intelligence about the world's largest spam networks, said that since June 2006, crawler bots hosted at McColo were responsible for more than 30 million spam messages sent to the project's e-mail traps.
"And our spam traps constitute a tiny fraction of the e-mail addresses in the world," Prince said. Since McColo shut down, Prince said, the project has seen a 20 percent drop in the volume of the messages received at its spam-trap e-mail addresses.
It is not clear what, if anything, federal law enforcement can do about McColo hosting spammers, or whether anyone at the company has committed any crime. A spokesman for the FBI declined to comment, as did the Secret Service.
On Saturday, McColo briefly reconnected its Web servers to a major Internet provider in Europe. Under pressure from the security community, the provider severed its relationship with McColo the next day. But that, said officials with computer security company Fireeye, may have been enough time for spammers to reclaim control of 10,000 to 15,000 of an estimated 100,000 computers infected with malicious software.