Silicon Valley Spam-Slinger Knocked out Cold

On November 11, two ISPs, Global Crossing and Hurricane Electric, purged the California webhosting firm McColo from its services. The next day Cisco subsidiary IronPort announced that worldwide spam activity had fallen off by as much as 75%.

An article on washintonpost.com was what triggered the whole thing. Brian Krebs, the article's author, got a tip-off and notified the two ISPs of the webhoster's criminal activities that had been logged by security firms over the last couple months.

According to Krebs's article, the San Jose based McColo hosts, among other things, some diverse botnets that security firms such as SecureWorks deal with on a regular basis. Botnets are said to be responsible for about two-thirds of the world's spams. McColo also allegedly hosts many illicit child pornography websites, as washingtonpost.com reports and appeals to readers to contact the HostExploit.com website. Linux Magazine Online has since asked for comments from a few spam specialists.

Magnus Kalkuhl is virus analyst with Kaspersky Lab in Germany.

Magnus Kalkuhl is one of them. He works in the anti-virus division at Kaspersky Lab in Germany. His comment: "We can prove that a whole series of botnets are no longer active since McColo was shut down." By his assessment, the affected botnets driven by McColo servers were Srizbi, Rustock and Mega-D, which were sending up to 10 million email spams a day. But even criminal activity involves backups: "It won't be long before the spam business starts picking up again as usual," Kalkuhl says.

Comments also came from Berlin webhoster, mail expert and Linux Magazine author Peer Heinlein. Heinlein identified the shut down servers as "bullet-proof" servers. McColo is, therefore, a kind of provider who promises its clients uninterrupted service even with high complaint rates. Spammers use "bullet-proof" servers either for sending direct and huge quantities of spam mail or as command-and-control servers for botnets to infest and control user PCs.

Peer Heinlein is a Postfix specialist and helps clients with anti-spam mail clusters.

The tear-down of the McColo servers has cost a lot of spammers their infrastructure, according to Heinlein. "Organizations like Spamhaus, through their undying effort, have provided ISPs with enough earth-shattering evidence for them to take the proper steps." However, Heinlein concurs with Krebs that spammers will be back at their game in no time: "There are a number of other bullet-proof hosters that would love to take over all the suddenly available clients. Spammers will reconfigure things so that this recent cutback will hardly be noticeable."

Indeed, not everyone has noticed the effect. For example, Ralf Hildebrandt, self-professed mail server expert and also Linux Magazine author. He works on contract basis with T-Systems Business Service as technical manager for the CharitéHospital in Berlin. He has noticed nothing of a significant spam reduction: "My statistical graphs show about the same amount of emails and the same amount of rejects."