How Does So Much Spam Come From One Place?

Despite the level of questionable activity researchers say was coming out of networks hosted at McColo, it's not clear what if anything federal law enforcement can or should do about it, or whether anyone at the company has committed any crime.

A spokesman for the FBI declined to comment for this story, as did the U.S. Secret Service. A federal law enforcement official familiar with the accusations against McColo said privately that authorities have been investigating the hosting provider, but that building a case that could convince a jury of McColo's complicity in the activity has proven difficult.

Some in the security community, while applauding McColo's Internet providers for cutting the company off, said it should have happened sooner.

John Bambenek, incident handler with the SANS Internet Storm Center, which tracks hacking trends, said he doubts either provider was unaware of the alleged activity at McColo.

"The upstream providers may claim they didn't know, but that's about as convincing as a motel operator who is renting rooms by the hour and hearing the exploits from the hallway and being shocked when the police show up to bust the prostitution ring," Bambenek said.

But Benny Ng, director of infrastructure for Hurricane Electric, one of the Internet providers that cut off McColo's online connections, said that "until we were provided with the Washington Post report, there was no compelling overall picture." He added that many people, "including some professionals, think it is perfectly reasonable for an Internet service provider to intercept and inspect their customers traffic, including reading customers' email. Hurricane Electric does NOT condone or practice this, as this is illegal due to privacy laws."

Ng said his company monitors spam blacklists for Internet addresses used to send spam, but even those lists would not have flagged the botnet control servers hosted by McColo.

"Specifically in this case, the scope and complexity [of what was going on at McColo] was nearly imperceptible," said Ng. "The indirect nature of this network abuse, with compromised computers all over the world, was particularly subversive."

Global Crossing, the other major provider that pulled the plug on McColo's access, refused to comment.

If U.S. law enforcement was reluctant to act against McColo before the company's Internet providers pulled the plug, there are no signs that they any more willing after the incident. Sometime on Saturday, McColo's principals briefly reconnected the company's Web servers to a major Internet provider in Europe.

"The best part about this story is that they haven't physically moved their servers... they're still in Market Post Tower in sunny San Jose," at the very same Internet addresses, wrote Atif Mushtaq, a researcher and engineer at Fireeye.

Fireeye said the European ISP on Sunday severed its relationship with McColo under pressure from the security community. But that may have been enough time for criminals behind the Rustock botnet to reclaim control of between 10,000 and 15,000 of the estimated 100,000 computers infected with the malware, Fireeye estimates.

Experts say it's not uncommon for cyber criminals to stage their operations out of the United States, regardless of where the criminals themselves may be based. After all, U.S. Internet providers offer some of the fastest, cheapest and most reliable Internet services on the planet.

"These guys like going after well-hosted infrastructure in good economies, because it gives them the resiliency that any business looks for," said Vincent Weafer, senior director of development for Symantec Security Response.

What's more, dependability and server uptime are important in cutthroat businesses for which an outage of a few hours can staunch the flow of spam and cost thousands of dollars.