Gallery

Welcome to a spamless world?

Posted on 28 Jan 2009 at 16:05

This month, Davey Winder fantasises about killing spam, and pines for some security gadgets he probably won't get for Christmas.

Don't get too excited about the demise of Storm, as the gang behind it is thought to have moved over to another botnet, and many experts think it's likely to be one of the small number controlling much of the spam distribution that continues today - or rather did continue until very recently. Just a couple of weeks ago, something strange and wonderful happened: the Washington Post managed to set off a chain of events that saw global spam volumes drop, literally overnight, by as much as 70%. A lengthy investigation by Brian Krebs, the US newspaper's Security Fix blogger (www.pcpro.co.uk/links/173online) revealed that one web-hosting outfit called McColo Corporation appeared to be responsible for distributing as much as 75% of the world's spam by volume. His four-month investigation concluded that this San Jos??©-based service was "a major host of organisations allegedly engaged in spam activity", and went on to suggest that it acted for various international firms and syndicates that were involved in the management of "millions of compromised computers" used to promote, via spam, the sale of "counterfeit pharmaceuticals and designer goods, fake security products and child pornography".

A shadow was cast over the legal responsibility that a company such as McColo bears for the activities of its clients, for whom it simply provides hosting services, and Krebs admits that there's no evidence that the company has been charged with any crime or has actually violated any US laws. Faced with the fact that one company could help distribute so much of the world's spam and yet not appear on the legislative or law-enforcement radar, Krebs sprang into action by contacting all those ISPs that between them managed more than 90% of McColo's internet connectivity and sent them a file documenting the company's activities. Within hours he started hearing back from the ISPs, a typical response being "we've shut them down". Within 12 hours the number of spams being seen across security monitoring networks around the world over dropped dramatically, by around 70%.

This is very good news indeed, but as I said before it's too soon to call it the death of spam, just a nasty wound - already, two weeks after McColo was taken down, spam levels are starting to rise again. With profits as high as they are and criminals as well organised as they are, this is inevitable. However, what surprises me is that those spam levels haven't increased so quickly or by as much as I'd have expected, and it seems that the spammers are struggling to get back above the 50% of network traffic level. One has to wonder whether this means that the central command and control infrastructures of the Srizbi, Mega-D and Russtock spam botnets - the most prolific on the planet - were all hosted in that one place, as has been suggested by some. Knocking them down with such speed and efficiency destroyed the myth of the bulletproof host, creating an unexpected and unplanned-for disconnection between the spam-masters and the botnets they control.

Even as I sit here tapping away at my keyboard, I have no doubt that those spammers are looking to establish new command and control servers, ones further removed from the reach of those who'd like to destroy them. But, equally, I don't doubt that this will be no easy task, since it involves re-establishing connections to millions of zombie PCs. And don't you doubt the significance of these events that I've just been explaining and what they mean for the fight against spam in future: as the lead threat analyst with the MessageLabs TRACE Team, Phil Hay, says: "This is the most significant single event in the fight against spam we have ever seen. It shows that a coordinated effort against spammers by security researchers can have a positive and meaningful impact on global spam levels."

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site