Application security, Threat Management, Incident Response, TDR

Major spam host closed down

A web-hosting firm that reportedly was responsible for some 75 percent of worldwide spam has been knocked offline.


Following reports from Brian Krebs of The Washington Post on evidence gathered about criminal activity emanating from the McColo, the California-based company was switched off by its upstream providers, Global Crossing and Hurricane Electric.

McColo was providing hosting capabilities for a number of unscrupulous cybergangs, the newspaper reported. These syndicates were responsible for managing botnets, selling pharmaceuticals, hawking rouge anti-virus programs and dispensing child porn.

When the company disappeared, the woldwide volume of spam saw a dramatic drop. The drop in activity was detected by researchers at Cisco's IronPort, which reported a decline of almost two-thirds of overall spam volume.

At first, analysts thought it was a technical problem, but on further investigation realized the drop occurred at the same time McColo was shut down, as reported by The Washington Post on Tuesday evening.

Spam dropped considerably when McColo went offline (courtesy IronPort, a business unit of Cisco).

“It started with finding the people who hosted networks that sent spam and within seconds of it being turned off the amount of spam being sent had dropped," Jason Steer, an IronPort spokesman, said. "We know that over 200 billion spam messages were sent every day before this, and after it was switched off we thought there was a problem with the system because of a drop in spam.”


There have been parallels to this in the past, and the spam levels were not affected in the long run, experts said.


"Another hosting provider, Intercage, hosted many spam botnets," IronPort product manager Nilesh Bhandari said. "It was shut down and we noticed spam volume decrease immediately. But a few days later, the volume was back to where it was before. So I think McColo, like Intercage, will just find another upstream provider."


Steer added: “I think that this will lead to a temporary lull, as the amount of money made is significant. I expect that there will be a drop in the amount of spam for a week or two but we won't see this lasting for a long time.”


Many observers had long noticed that there was a massive amount of malicious activity at McColo, including command-and-control centers for botnets.


"This botnet has been well known for a while as the criminals had been able to set up a legitimate business at the front end, and if the police were to ask them about it, they can say that ‘it was one of our customers that did it and it wasn't our problem," Steer said.


FireEye's Chief Security Content Officer Fengmin Gong said: “McColo, in light of all the activities observed, hardly did anything to address the issues that were discovered.”


As of Thursday morning EST, McColo's website remained inaccessible, so a representative there could not be reached for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.