The Spamming Hall of Shame! McColo Corporation's Fall Down and Recent Developments in Web Spam; How Can You Fight Spammers Effectively?

Internet and email spam is down for a week now due to the bringing down of one of the largest player in worldwide spam on November 12, by the astute interference of Washington Post's computer security expert blogger, Brian Krebs. The post made by Krebs on 12th about the criminal activities of California-based hosting firm, McColo Corporation first attracted my attention to this. I had been tracking how the spam was going on these days, and I am happy to see it has been considerably low. The worldwide spam rate has come down an astounding 75 per cent due to the mere shutdown of this corporation that housed such things as spam bot networks (botnets) in its server.

The Bringing Down of the Spam Giant

In this timeline, we will see what exactly happened and what role Mr Krebs played in bringing down McColo.

  • Security Fix, the blog managed by Krebs, has been tracking the activities of McColo corp for the last four months. McColo's team includes the most disreputable cyber-criminals in existence today.
  • On Monday, Nobember 10, Krebs contacted the Internet service providers of McColo, that manage 90 per cent of the company's data transfer to the outer world—Global Crossing (GBLX) and Hurricane Electric—to report the spamming activities carried out by the company.
  • Global Crossing returned Tuesday to tell Krebs that they don't allow any spamming through their networks, and are a very law-abiding company. But they refused to speak anything about McColo.
  • Within two hours from this, Benny Ng from Hurricane Electric reported to Security Fix, "We shut them down". According to Benny,
    We looked into it a bit, saw the size and scope of the problem you were reporting. Holy cow! Within the hour we had terminated all of our connections to them.
  • Within some time, GBLX also de-peered them. The entire internet connectivity for McColo is lost and they are nowhere in the Net now.

About McColo Corporation

Spammers need a web space from where to operate. They cannot take space from normal hosting companies like GoDaddy, as they will shut them down when many complaints turn in. As the volume of spam increases in the Web space, so does the volume of complaints.

So they require a web host that shuts ears to these complaints. McColo was one such—a major player to the so-called Bulletproof Hosting. Bulletproof hosting is a term applied to the hosting plan that keeps a website online, no matter how many complaints it receives.

Simply due to this trust, several spammers operated through the McColo network, making it a major player in long-term spamming. The sheer fact as reported by CNN that the spam is down these days by 75 per cent is a testimonial to the vastness of this company.

I checked at the Internet Archives to see a snapshot of the McColo website and found out the following details about this company:

Physical Address: McColo Corp., 64 East main st., Box 275
Newark, DE, 19715, USA.


But this postal address is operated by a Delaware online incorporation firm, SIMILEX.

Hosting location of the server: MarketPostTower IT center, San Jose, CA, USA; a state-of-the-art building with 30 stories.

The company's IP addresses ping to Hurricane Electric's Paulo Alto and Freemont locations.

Partnerships: McColo corp. has partnerships with HP, Cisco, Hurricane Electric, Global Crossing (the IPV6 leader in industry), 3Com.com, and Ynot.com

I also found this great resource with some technical information about McColo's server.

Spamming Activities

The criminal activities of McColo includes overwhelming amounts of email spamming, child pornography sites, sites that accept payment for spam/child pornography, and malicious software auto-installation sites that installed malware to steal banking and credit card details from more than half a million unsuspecting customers worldwide.

One of the major spamming activity was botnets, which include remote administration of millions of compromised computers for the sale of counterfeit pharmaceuticals and designer products.

Botnets

McColo operated and managed C&C networks (Command & Control) for some of the most expansive botnets (robot networks), which are the networks of computers attacked and managed remotely. According to MessageLabs, an email security research firm, botnets constitute 90 per cent of the overall spam.

In fact, you can, anyone can, have a computer part of the botnet. The original user of the system may not know about it. Several computers, which don't have sufficient security mechanisms installed, can be attacked and made part of botnets. The aim is simply to park and distribute spam messages. In some cases, the user's credit card and banking details may be compromised.

The major botnets operated by McColo included:
Pushdo(Cutwail), a fake e-card trojan, that had 7.1 % of the network; Rustock (a trojan stealing financial details) with 17.6%; Ozdok (Mega-D) (that has about 35,000 systems infected worldwide), with 20.7%; Srizbi, with 36.1 %; and other botnets like Warezov (Stration/Opnis), Bobax, Wopla, etc., in minor percentages.

Spamhaus, a spam research organization that hosts industry's most extensive and accurate real-time spam data, tells that there are about 1.5 million computers infected with Srizbi or Rustock.

In a report made by BBC, Joe Stewart, director of malware research corporation, SecureWorks told that he had sent several complaints to McColo regarding the spamming through its networks, but each time the company relocated the offending websites to another territory within the network, while assuring Stewart that action would be taken. He said:
McColo runs a service that offers its clients quite a bit more protection from takedowns than the average Web host. If they get abuse complaints they will try to appease whoever is complaining, but the end result is usually they just end up moving their Internet addresses around.

Spam Coming Back Up?

Clearly, McColo's topple has proved highly worthy. But the recent statistics as published by various corporations show how short-lived its effect can be. Here are screenshots published by Washington Post as well as various other publications after the McColo event.

McColo Corporation Spam oust
McColo Corporation Spam toppled, graph
McColo Corporation Washington post picture
Spam activity for the month

In all of them, we see that a major drop in spamming happened. But most of them see a recover activity now that a week has elapsed. When spammers migrate to other servers and web hosts from less law-abiding regions, web spam will come back in full swing.

Nilesh Bhandari, the product manager at IronPort, a major email security firm, said:
The company sees an average of about 190 billion spam e-mails each day. Then, at around 4:30 p.m. ET yesterday [11th], IronPort saw a huge decline in spam levels. For the 24 hour period ending Tuesday, the company tracked about 112 billion spam messages.

We fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season.

According to a spokesperson, Jason Steer, also from IronPort:

It is an unprecedented drop but will be a temporary outage as the networks move from North America to places where there is less scrutiny.

Major publications like the Financial Times also held the same view.

How You Can Help Prevent Spam?

Now, we are at the most important section. Now, email spam amounts to as huge as 90 per cent of all the emails sent, an exponential growth from the past decade. 30 per cent of all the internet spam arises from the US. It is way ahead of any other country. In 2007, the Internet spamming cost a whopping 13 billion dollars in the US alone. It affects everybody's day-to-day life, especially those who spend a lot of time online. So, it is our right and responsibility to help fight spam.

There are quite a few major spam reporting sites at which you can report any junk email, any source of plagiarism, etc., that you see online. Here are some:

The Federal Communications Commission, FCC's complaint box: Has the facility to complain about almost all types of communication issues.
The Federal Trade Commission, FTC: You can submit complaints about any spam you receive.
The US Postal Inspection Service: Send mail fraud, online identity theft complaints here.
SpamCop: SpamCop finds out the origins of spam emails and reports them to the respective ISPs.
Abuse.net: Helps route the spam to the appropriate party.
The National Do Not Call Registry: To get rid of your telemarketing calls
Direct Marketing Association's DMAChoice: A tool developed to help you get emails based on your preferences from companies part of the Direct Marketing Association.
The Privacy Rights Clearing House: Has a lot of spam-fighting resources
Smallclaim.info: This is where you find Ben's spam tracking thingy.

Conclusion

Just as you give a hand in fighting the online spam, make a pledge that you won't spam. Spamming in small levels may not affect your Internet career, but don't engage in it in a mass scale. We have seen the effect of it already. There were quite a few cases based on the 2003's CAN-SPAM Act. So, let's get together to fight spam.

Copyright © Lenin Nair 2008

0 Opinions:

Post a Comment

Comments are moderated very strictly