One for the good guys

When McColo was taken down, worldwide spam volume dropped by 75 percent. Roger A. Grimes looks at how the spam-loving ISP was taken down, and lessons we can learn from this rare anti-spam success.

"Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has."

-- Margaret Mead

I often spend my Friday columns venting about the latest computer security failure and how all the new evolving solutions will do little to protect us in the long run. But I have to give credit where credit is due, even when it comes from unexpected places.

Taking down spam-producing malware
It appears that a single security company and a technology columnist for The Washington Post has succeeded in bringing down worldwide spam rates 75% or more. No single event has ever accomplished what Brian Krebs and security firm Security Fix did nearly two weeks ago.

[ Read the InfoWorld Test Center guide: Mail security appliances ]

In a nutshell, Security Fix (among other computer security firms) had long known that a single Internet hosting company, McColo, based in California, was responsible for hosting a large amount of spam-producing malware and their controlling servers. Questionable hosting companies often claim ignorance when confronted with the facts, and so, too, did McColo.

But Security Fix and Krebs pulled a reverse denial-of-service (DoS) attack, using a DoS attacker's favorite technique against the bad guys. Often when a DoS attacker starts flooding a target Web site, the victim will respond by implementing anti-DoS equipment or services, to drop the illegitimate packets. The attacker will respond by attacking the Web site's hosting company, and if that fails, attack all the upstream Internet pipes. The idea is to cause so much pain that the upstream neighbors call uncle and force the victim down to rescue all the other unintended Web sites. "Sorry about your bad luck," they say.

In this case, the good guys contacted McColo's upstream Internet neighbors and explained the situation. One of the providers immediately disconnected McColo. The other hemmed and hawed a bit, but under public pressure and the threat of unfavorable media exposure courtesy of The Washington Post, eventually responded. Poof! And just like that www.mccolo.com was no longer on the Internet.

In one sudden, unexpected moment, 75% of the world's spam went away. And stayed away. The world noticed. It was that big.

Results of the takedown: Significantly less spam
Days later, I interviewed Matt Sergeant, senior anti-spam technologist at MessageLabs. He had this to say: "I'm looking at a spam activity chart right now, and it's like an EKG that went flatlined! Fifty percent of all spam came from the Srizbi botnet, which was taken down when McColo was taken down. The takedown of McColo was not supposed to have this big of an effect, but it turns out that the majority of the C&C bots were hosted on McColo, and the bots had their control server's IP address hard-coded."

McColo was the host provider of choice for many of the world's largest botnets and bad Web sites. Krebs did an excellent job of showing the links between malware.

Lessons learned for the next spam fight
So, chalk up one for the good guys. In three years of writing this column, I can rarely point to a success. Hey, let's just hire Krebs and Security Fix to do this full time.

Except, of course, it isn't that easy. Getting rid of the top spammer is like getting rid of Al Qaeda's No. 2 leader or arresting a Columbian drug lord. Take one down and there are two more waiting to take their place.

While the 75% drop in spam stayed for nearly a week, it appears that levels are creeping back up fast. My own personal anti-spam honeypots started reporting a significant increase in spam after resting for almost a week. A quick check of all the major anti-spam Web sites shows the same thing (with the notable exception of Spamcop). For example, MessageLabs reports spam volumes running 53-69% this month. While spam rates aren't back up to where they were before the McColo takedown, they aren't that far down from the peak. And the rates came back up so quickly that it's bothersome.

Part of the resurgence has to do with the fact that McColo went back up after the initial takedown long enough to pass their maliciousness to a Russian host network. We've long suspected that the Russian Business Network hosted their C&C servers on McColo, and this response seems to confirm it. I'm not sure if the RBN ran McColo, or if it was just an illegitimate business relationship; the RBN promises bulletproof hosting so I'm sure McColo will be back in business soon, if only under another name.

Still, it's one for the good guys. The bad guys had to do a little more work over the last two weeks, and their revenue stream was briefly interrupted (however, I suspect far less than my stock portfolio over the same time period).

Although the Krebs/Security Fix takedown is one for the books, it begs the question of why this was the way the biggest anti-spam defense was accomplished. It wasn't a large coalition of anti-spam companies, the maintainers of the Internet, or the "Internet police." Nope, no big groups with official authority. It was a few people working in friendship toward a common goal. No police. No courts. And, unfortunately, no arrests. McColo, and a hundred organizations like them, will be back. They will not repeat their mistakes and will become stronger than ever.

As always, long-term solutions involve more than random takedowns. There are permanent solutions, and one day we will decide to do something more than temporarily inconvenience the bad guys.

But for today, I salute Brian Krebs, Security Fix, the upstream providers, and any others who participated in the McColo takedown.

Continue to fight the good fight!

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies