Application security, Threat Management, Incident Response, TDR

Pricewert shutdown brought only short-lived drop in spam

Any spam drop that resulted after the takedown of a rogue internet service provider last week was short-lived, researchers said Tuesday.

The volume of unwanted messages has crept back to normal levels -- about 90 percent of all email -- after having dropped 15 percent last week following the closure of the ISP Pricewert, according to security vendor Marshal8e6.

Pricewert, which also did business as 3FN and Telecom, was shut down last Tuesday by a U.S. District Court judge at the request of the Federal Trade Commission.

According to the FTC, Pricewert recruited and worked with cybercriminals who distribute illegal and malicious content, including child porn, spyware, malware and botnet command-and-control servers. Following the takedown, there was a significant decline in spam originating from one botnet called Pushdo, sometimes referred to as Cutwail, which was being hosted by Pricewert, researchers said. 

A decline of 15 percent in overall spam volume is not uncommon, Phil Hay, lead threat analyst at Marshal8e6, told on Tuesday.

“You can see 15 percent swings in a day,” he said.

The overall magnitude of the drop has even been disputed. Vincent Weafer, vice president of Symantec Security Response, told on Tuesday that the Pricewert takedown did not have a significant impact on overall spam volume, as it has held steady at approximately 90 percent of all mail, even after Pricewert was knocked offline.

“We haven't seen any falloff,” Weafer said.

For a short period of time, however, spam originating from the Pushdo botnet dropped by nearly 40 percent, Hay said. Past analysis conducted by Marshal8e6 revealed that Pushdo bots were connecting to control servers on the 3FN network.

“The percentage of Pushdo spam dropped rapidly,” Hay said. “We were sitting there wondering what the reason for this was when we heard about the takedown of 3FN.”

But, spam originating from Pushdo is back up, as criminal operations have “undoubtedly” migrated over to other control servers, Hay said. Shortly following the takedown, Symantec noticed that 379 malicious domains, such as phishing, fraud and pornography sites, “jumped ship” to move to alternative ISPs, Weafer said.

Researchers said the overall impact of the Pricewert takedown was minimal, compared to the drastic drop in spam following the shuttering of the web hosting provider McColo last November.

“With McColo, we saw spam levels drop by 50 percent almost overnight,” Hay said.

Weafer agreed that the most significant impact of Pricewert's takedown was to Pushdo, which represents only eight percent of Symantec's known botnet traffic.

“In this case, the ISP [Pricewert] represented every aspect of malicious activity, but wasn't a huge volume producer of any single one,” Weafer said.

He added that the biggest impact of the takedown might be the statement it sends: Enforcement agencies are willing and able to go after ISPs that do business with cybercriminals.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.