Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Washington Post Blog Shuts Down 75% of Online Spam

Posted by CmdrTaco on Wed Nov 12, 2008 10:10 AM
from the real-american-hero dept.
Spam
ESCquire writes "Apparently, the Washington Post Blog 'Security Fix' managed to shut down McColo, a US-based hosting provider facilitating more than 75 percent of global spam. " Now how long before the void is filled by another ISP?
botnet spam it usa diespamdie it spam story

Related Stories

Firehose:Washington Post Blog Shuts Down 75% of Online Spam by ESCquire (550277)
[+] McColo Briefly Returns, Hands Off Botnet Control 242 comments
A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."
[+] New Massive Botnet Building On Windows Hole 223 comments
CWmike writes "The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is now being used to build a fast-growing botnet, said Ivan Macalintal, a senior research engineer with Trend Micro. Dubbed 'Downad.a' by Trend (and 'Conficker.a' by Microsoft and 'Downadup' by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with McColo, is creating. 'We think 500,000 is a ballpark figure,' said Macalintal when asked the size of the new botnet. 'That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's... starting to grow.'"
[+] Spam Back Up To 94% of All Email 266 comments
Thelasko writes "A NYTimes blog reports that the volume of spam has returned to its previous levels, as seen before the McColo was shut down. Here is the report on Google's enterprise blog. Adam Swidler, of Postini Services, says: 'It's unlikely we are going to see another event like McColo where taking out an ISP has that kind of dramatic impact on global spam volumes,' because the spammers' control systems are evolving. This is sad news for us all."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Washington Post Blog Shuts Down 75% of Online Spam 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.

  • Not Just Spam (Score:5, Interesting)

    by eldavojohn (898314) * <my/.username@@@gmail.com> on Wednesday November 12, @10:10AM (#25732821) Homepage Journal
    From the article:

    The badness attributed to McColo was not limited to spam. It included child pornography sites; sites that accepted payment for spam and child porn; rogue anti-virus Web sites; and a huge malicious software operation that apparently stole banking and credit card data from more than a half million people worldwide.

    And they operated for how long before they were shut down ... as a United States based hosting provider?

    If they have evidence of these things, I certainly hope that The Washington Post turns any evidence over to the FBI or at the least the local law enforcement where McColo is operating. And I hope a warrant is obtained through the appropriate channels to collect evidence from Hurricane Electric & Global Crossing ... I'm all for user privacy policy from an ISP but obviously these people are criminals.

    • ISPs are clueless? (Score:5, Insightful)

      by Bearhouse (1034238) on Wednesday November 12, @10:37AM (#25733177)

      Also FTA:

      'Two hours later, I heard from Benny Ng, director of marketing for Hurricane Electric, the Fremont, Calif., company that was the other major Internet provider for McColo.

      Hurricane Electric took a much stronger public stance: "We shut them down," Ng said.

      "We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."'

      So, after much hand-waving here, and elsewhere, about what info the Gov. and your ISP may be collecting about you, they could not spot this, a major spam, child-porn and theft site?

      Maybe the honest version would be;
      "We were making shitloads of money out of selling bandwidth to these bastards, 'no questions asked', but now you've blown the whistle on them I guess we've gotta look responsible."

    • Re:Not Just Spam (Score:5, Insightful)

      by ojintoad (1310811) on Wednesday November 12, @10:51AM (#25733327)

      I certainly hope The Washingto Post doesn't have to do the job of the Federal Authorities in the future.

      I think this quote down on the third page was probably the best, from a Trend Micro researcher (emphasis mine):

      "There is damning evidence that this activity has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network, but nobody seems to care," [Paul] Ferguson said. "It's a statement on the inefficiencies of trying to pursue legal prosecution of these guys that it takes so long for anything to be done about it. Law enforcement is saying they're doing what they can, but that's not enough. And if law enforcement can't address stuff like this in a timely fashion, then the whole concept of law enforcement in the cyber world needs to be readdressed, because it's hardly making a dent at the moment."

    • Re:Not Just Spam (Score:5, Insightful)

      by zaffir (546764) on Wednesday November 12, @10:52AM (#25733335)
      Anyone wanna guess how much faster would they have been taken down had they been hosting RIAA or MPAA copyrighted works?

  • Slashdot can shut down spammers, too (Score:5, Funny)

    by Anonymous Coward on Wednesday November 12, @10:11AM (#25732827)

    Just give us an IP address linked in the summary. That's all we ned.

  • good job! (Score:5, Funny)

    by larry bagina (561269) on Wednesday November 12, @10:18AM (#25732917) Journal

    First they shut down McCain, now McColo. Next up: McDonalds?

  • Oblig. (Score:5, Funny)

    by Mateo_LeFou (859634) on Wednesday November 12, @10:18AM (#25732933) Homepage

    http://craphound.com/spamsolutions.txt [craphound.com]

    • Re:Oblig. (Score:5, Funny)

      by TheThiefMaster (992038) on Wednesday November 12, @10:43AM (#25733241)

      More like:

      Your post advocates a
      (x) technical (x) legislative (x) market-based (x) vigilante
      approach to fighting spam. Your idea will not work. Here is why it won'... Holy crap how did you do that? 75% of all spam!? So much for it being botnets causing it! Congratulations!

  • As long as there is money in it... (Score:5, Insightful)

    by Ritz_Just_Ritz (883997) on Wednesday November 12, @10:19AM (#25732935)

    the spam will flow. It's the old "balloon dog" effect. Squeeze it in one place and it balloons in another. The ONLY way to attack this problem is to go after the advertisers who are willing to use spam as a medium to sell product.

  • Sigh (Score:5, Funny)

    by elrous0 (869638) * on Wednesday November 12, @10:21AM (#25732961)
    Well, I guess now my Nigerian prince will never come.

  • is it morally right to DDoS spaming ISPs? (Score:5, Interesting)

    by petes_PoV (912422) on Wednesday November 12, @10:21AM (#25732973)
    as the title says. if it gets them "off the air" is this a public service or a criminal act (or both)?

  • Recomment (Score:5, Informative)

    by Anonymous Coward on Wednesday November 12, @10:24AM (#25732999)
    The comments on the Washington Post site are pretty worthless, but this one was particularly good:

    "Brian - Well done, and well reported. For the user who asked about reporting news versus creating news, you misunderstand Krebs's reporting. Like most good reporters who write big stories, he either got tips or analyzed data regarding spam and cyber-security. It probably was a combination of both. If he determined from his research, reporting and analysis that this data was coming from one place, he did not create a story by informing the spam host's business partners. Rather, he sought comment from them about this site, and they took action. What Krebs reported is not a big a story as Watergate, but what do you think Woodward & Bernstein did? Wait for a press release? A regulatory filing? No, they took one news event, worked backwards from it, and determined that something big was going on -- just like a spammer. Then they wrote about it, just like Krebs did. When Henry Blodget on Silicon Alley Insider wrote that The New York Times Co faces several possibilities for survival, he did not tap into a planned news event. He analyzed a balance sheet and made conclusions. Much of the news that comes out is because beat reporters see connections and draw conclusions that are not opinion, but reasoned and accurate viewpoints based on evidence out there that resists coalescing into a larger news event because most of us don't get it. That's why we have journalists, and this is a great example of that. And now for the full disclosure: I'm Robert MacMillan. I am a reporter at Reuters who covers the journalism business, and I worked at washingtonpost.com for many years with Brian. I sat right across from him so I know what he eats for lunch. Posted by: easymac | November 11, 2008 9:45 PM "

  • Better to NOT shut them down? (Score:5, Interesting)

    by plsuh (129598) <plsuh@good e a s t.com> on Wednesday November 12, @10:29AM (#25733059) Homepage

    When it comes to these sorts of things, oft times law enforcement and intelligence agencies who know about a source of major operations DON"T shut them down, so as to build a case against the bigger players or to maintain the ability to track what is going on. Given that this is a US-based corporation with US-based servers, I wonder if this shutdown has seriously compromised on-going monitoring and criminal cases. While this has almost certainly seriously disrupted operations of the various bad guys for now, I would give it only a few days before they're back online based at overseas locations where they're less easily reachable. Except for some script kiddies, the operations are all sophisticated enough to use standard techniques such as multiple hardcoded fallback IPs. DNS redirection, and using fake BGP announcements to hijack IP blocks to get back online.

    --Paul

    • Re:Better to NOT shut them down? (Score:5, Insightful)

      by dbIII (701233) on Wednesday November 12, @11:04AM (#25733507)
      I think law enforcement and intelligence is too busy working hard in other areas (IMHO due to mismanagement and fear campaigns) to be able to handle their traditional roles. If you see criminal activity that you can stop immediately without any danger to yourself why look the other way? You can report it later instead of making yourself an accessory after the fact by condoning the criminal activity by continuing to let them operate with your resources.

      As for the other stuff, in a world scripted by Tom Clancy the supervillians simply switch to their backup systems. However in reality shutting down something that has taken a long time to establish can stop them for a long time and can open them up to exposure when they are trying to do it again.

  • This is their AUP from 2005 (Mccolo.com)

    Acceptable Use Policy (AUP)

    All Maxis' Commerce colocation or dedicated server customers are bound by the following Acceptable Use Policy. This document may be updated from time to time. Please consult this site periodically for the most recent revision of this document.

    No Maxis' Commerce customer shall:

    Do anything illegal or anything that adversely affects Maxis' Commerce legal interests. The following list is non-exclusive, and should not be considered license to commit other illegal activities not specified below. All illegal activity is prohibited, and Maxis Commerce will cooperate fully with any law enforcement officials and/or agencies investigating and/or prosecuting such activities.

    Cracking/Hacking - attempts to access accounts or systems other than the userâ(TM)s own accounts or systems or an account or system that the user has been explicitly authorized to access is illegal under federal and state law.

    Child pornography - as defined by U.S. law. This is strictly prohibited and dealt with quickly and harshly.

    Interstate gambling - because Internet traffic generally ignores state and country boundaries, any Internet based gambling site is restricted by Federal Inter-state gambling regulations.

    Pyramid schemes or fraud - are illegal under a number of Federal, State and Local laws.

    Theft of services - attempts to utilize services that are not contracted for is considered theft and will be dealt with as such.

    Harassment - use of Maxis' Commerce network to harass or threaten (in the legal sense of those terms) any other person is prohibited.

    Please consult an attorney if you are unsure of the legal status of your activities.

    Do anything that threatens the integrity of Maxis' Commerce network or the utilization there of by other persons.

    Denial of Service (DOS) attacks - no customer will commit a DOS attack against any Maxis Commerce customerâ(TM)s host, or any other host on the Internet. Similarly, no Maxis Commerce customer will willfully or negligently allow incitement of others to attack any host on Maxis' Commerce network, or any other host on the Internet.

    Blacklists - No customer shall do anything that could get any portion of Maxis' Commerce IP space (or address space announced by Maxis Commerce on behalf of Customer) put on blacklists such the RBL (Realtime Black List) as maintained by MAPS (http://www.mail-abuse.com) or other similar organizations, or perform activities that would cause portions of the Internet to block mail or refuse to route traffic to any portion of Maxis' Commerce IP space (or address space announced by Maxis Commerce on behalf of Customer).

    Perform actions that cause unusual load on Maxis' Commerce servers (for example, mail servers, web servers, usenet servers, name servers, etc.), that cause slowness or denial of service to other Maxis Commerce customers.

    Do anything that threatens the Internet or any other network.

    No customer shall take actions that cause any portion of the Internet, or the Internet as a whole, to become unusable to any other portion of the Internet, or the Internet as a whole.

    No customer shall take actions that degrade the usefulness of the Internet, or any portion of the Internet, either through network degradation, flooding of usenet or email or so on.

    Spam - No customer shall send unsolicited commercial email, unsolicited mass mailings, spam or flood usenet newsgroups, or anything of that sort. If you have questions about what is allowed and what is not, please email abuse@mccolo.com for clarification.

    No spam may originate from Maxis Commerce IP space.

    No spam may advertise sites or services located on Maxis Commerce IP space (even if the spam originates elsewhere).

    No Maxis Commerce customer shall use third party mail servers to relay spam. This is considered a DOS attack on the third party and will be treated as such.

    No customer shall participate in pyramid schemes

  • OMFG!! (Score:5, Funny)

    by glock22ownr (734154) on Wednesday November 12, @10:34AM (#25733125)
    MY SITE IS DOWN!! WTF !

  • My personal experience (Score:5, Interesting)

    by rwyoder (759998) on Wednesday November 12, @10:46AM (#25733281)
    I use a procmail filter that sends mail from known addresses into my mailbox, and dumps everything else into a "garbage" file that I check every morning before deleting it, (on the off change that a friend or business has sent mail from a new address). This morning for the first time in *years*, the file was empty.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.