How Does So Much Spam Come From One Place?
Tuesday, November 18, 2008; 9:00 AM
At roughly 4:30 p.m. Eastern time last Tuesday, the volume of junk e-mail arriving at inboxes around the world suddenly plummeted by at least 65 percent, an unprecedented drop caused by what is believed to be a single, simple act.
According to security experts, one Silicon Valley based computer firm was playing host to computers of various organizations that controlled the distribution of much of the world's spam. Confronted with evidence tracing the spam activity back to the hosting firm, McColo Corp., Internet service providers pulled the plug, severing McColo's online connections.
By nearly all accounts, spam volumes have remained at far diminished levels, though experts interviewed for this story expect spam to soon bounce back or even exceed previous levels. But the question remains: How could such a massive concentration of spam activity be hosted for so long from the servers at a single U.S.-based facility, in the belly of the security and tech community in Silicon Valley?
The answer exemplifies how complex the battle against spam has become. Like other Internet hosting firms, McColo -- which has not been charged with any crime and has been unavailable for comment -- assigns certain Internet addresses for its clients' computers to use. In effect, that's how those firms operate on the Web.
But the spam often does not come directly from those computers, according to security experts who have documented the activity. Rather, McColo appears to have been home to a number of key Internet servers -- computers that control networks of computers -- that were used by their respective owners to coordinate the actions of hundreds of thousands of PCs that may be compromised with malicious software designed to turn them into spam-spewing zombies.
According to research by several in the computer security community some of the largest collections of hacked PCs, known as robot networks or "botnets," may have had their master control servers hosted at McColo. Assigned such curious monikers such as "Srizbi," "Rustock," "Mega-D" and "Cutwail" by anti-virus vendors, the networks of compromised computers around the world are named after the malicious software that powers them.
The botnets typically are rented out to junk e-mail purveyors. The spammers then sign in remotely to those control servers and use them to coordinate the sending of billions of e-mails a day touting everything from knockoff pharmaceuticals and designer goods to pornography and get-rich-quick scams.
But when McColo was taken offline by its Internet providers, so, too, were all of the botnet control servers located there. That means hundreds of thousands of computers that remain infected with these bot programs were left like sheep without a shepherd, waiting and searching the Web for a new set of instructions from the criminal gangs that controlled them.
Joe Stewart, director of malware research for Atlanta-based SecureWorks, said some botnets might remain disconnected. For the moment, the Internet's three largest spam botnets appear to be stranded and unable to contact more than a small number of their control servers, according to Marshal, a computer security firm in the United Kingdom that tracks bot activity.
Both Stewart and Marshal say the criminals responsible for maintaining those botnets will quickly find ways to revive them.
Not everyone has seen fewer spam messages in their inboxes after McColo's shutdown. Adam O'Donnell, director of emerging technologies at Cloudmark, an e-mail security company in San Francisco, said those who did not see a drop in spam from the McColo shutdown likely subscribe to an Internet service provider that already does an effective job blocking 99 percent of junk e-mail.
"People who had really good systems in place probably didn't benefit from this, while those who had more marginal spam filter protection likely saw a significant drop off in spam," O'Donnell said.