"At one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations," Mushtaq lamented in a blog post on Wednesday. "The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy."
FireEye contacted other researchers in Europe on Tuesday and shared its evidence on the Grum botnet's new home. Mushtaq and other security professional were not hopeful, but overnight the contacts managed to find the right people and all six Ukrainian servers went down. Following that, the upstream provider of the company providing Internet access to the Russian command-and-control server (CnCs) disconnected the route to that IP address as well.
As a result of the operation, spam has gone from a deluge to a trickle. Grum used to send spam from some 120,000 IP addresses every day, but that has dropped to almost 20,000, according to Spamhaus data cited by FireEye.
Will other companies target the remaining two botnets? They should, Mustaq said.
"There are no longer any safe havens," Mustaq said in his post. "Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox."
This story, "Grum botnet takedown puts spam on the run," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.