1725483
story
Comments: 335 +- IT: Washington Post Blog Shuts Down 75% of Online Spam on Wednesday November 12 2008, @09:10AM
background: url(//a.fsdn.com/sd/topics/topicspam.gif); width:81px; height:64px;
spam
ESCquire writes "Apparently, the Washington Post Blog 'Security Fix' managed to shut down McColo, a US-based hosting provider facilitating more than 75 percent of global spam. " Now how long before the void is filled by another ISP?
Related Stories
Reporter, n.:
A writer who guesses his way to the truth and dispels it with a
tempest of words.
-- Ambrose Bierce, "The Devil's Dictionary"
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
Not Just Spam (Score:5, Interesting)
The badness attributed to McColo was not limited to spam. It included child pornography sites; sites that accepted payment for spam and child porn; rogue anti-virus Web sites; and a huge malicious software operation that apparently stole banking and credit card data from more than a half million people worldwide.
And they operated for how long before they were shut down ... as a United States based hosting provider?
... I'm all for user privacy policy from an ISP but obviously these people are criminals.
If they have evidence of these things, I certainly hope that The Washington Post turns any evidence over to the FBI or at the least the local law enforcement where McColo is operating. And I hope a warrant is obtained through the appropriate channels to collect evidence from Hurricane Electric & Global Crossing
Re:Not Just Spam (Score:4, Insightful)
While many have an opinion otherwise, the fact is United States based internet service providers are protected by common [lectlaw.com] carrier [wikipedia.org] laws.
While shutting down this ISP may have slowed the spam for today, the two fundamental flaws remain:
Parent
Re:Not Just Spam (Score:4, Interesting)
Common carrier laws apply to ISP's because they are providing a neutral gateway, and is no more aware of the details of what is going on their network than the Highway service knows what I'm keeping in the trunk of my car.
Spam senders, however, is different. It takes a large amount of network resources, spawns repeated complaints, and triggers most network system warning bells. You can't spam on any real scale and not be noticed. No ISP would accidentally allow spammers to operate on their network for any length of time... there must be complicity.
ISP's generally don't like to talk about it, but the usual arrangement is that you get to spam X amount in exchange for X extra cash per month, or similar. Unless McColo was extraordinarily incompetent, they must have had a similar arrangement. I think it's fair to say that level of interaction (and kickback) takes them out of common carrier status.
Parent
Re:Not Just Spam (Score:5, Informative)
This is why
The CAN-SPAM Act is directed at the commercial entities that actually create the message, not the service providers who happen to be the medium.
as the actual medium as it's put is already constitutionally protected from being liable. So although ISP's are not common carriers in the US, the law is virtually identical for the considerations discussed within the article.
Parent
ISPs are clueless? (Score:5, Insightful)
Also FTA:
'Two hours later, I heard from Benny Ng, director of marketing for Hurricane Electric, the Fremont, Calif., company that was the other major Internet provider for McColo.
Hurricane Electric took a much stronger public stance: "We shut them down," Ng said.
"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."'
So, after much hand-waving here, and elsewhere, about what info the Gov. and your ISP may be collecting about you, they could not spot this, a major spam, child-porn and theft site?
Maybe the honest version would be;
"We were making shitloads of money out of selling bandwidth to these bastards, 'no questions asked', but now you've blown the whistle on them I guess we've gotta look responsible."
Parent
Re:ISPs are clueless? (Score:5, Informative)
Because Hurricane Electric is operated by a boatload of fucking imbeciles. As someone who had cage/rack space (as a form of 2nd data centre) from them for numerous years, I can assure you their operational methods are quite possibly the worst (particularly in the Bay).
It comes as no surprise that "HE had no idea this was happening". They have no idea what's happening on their network at any time.
Imagine calling them because your network port is showing 30-40mbit/sec incoming traffic, destined to IPs that aren't even in your netblock (but are assigned to another HE-hosted company), and having two engineers tell you "that's impossible". You provide them tcpdump pcaps, and they tell you "those can't be real". The issue mysteriously gets resolved 72 hours later, and no one calls you back to tell you what the problem was. When you inquire, you're told "a customer had a misconfigured load balancer", which just induces even more questions about their network setup.
Imagine a co-location provider that does not use vlans or any form of layer 2 segregation between customers, relies on out-of-country ISPs to provide connectivity between them and large tier-1 ISPs (specific example: peering with Telia -- a Swedish ISP that does not have a US-based NOC -- exclusively to gain access to AT&T's network), and has no form of failover redundancy, specifically on their core routers (they did have redundancy at the switch level). I'm absolutely convinced their Fremont data centre had a single public-facing router.
Their main Cisco GSR would crash/lock up for 10-15 minutes at time, before rebooting on its own or being administratively power-cycled. "What is happening with your network? No inbound or outbound packets make it to their dest" "We have an open case with Cisco" "Why was there no failover?" "We've an open case with Cisco". 2 months later, repeat. "Is this the same issue as 3 months ago?" "We believe so" "And why have you not replaced the hardware?" "We've an open case with Cisco". This issue went on for THREE YEARS.
Then there's their UPS/power situation: twice during a single year their Fremont data centre lost power for 6-7 full minutes at a time. Both times, it was caused by "unexpected problems during maintenance"... but they supposedly have back-up gas generators, and tote photos of them on their web site.
Then there's the cages. The cages are enclosures which should be 4-post, and are intended to be 4-post, but are front-mounted 2-post (and by front-mounted I don't mean telco style!). Generic, non-managed power strips are shoved into the cages, intended for you to use (rather than a 1 or 2U SNMP-managed PDU at the top of the rack). The cages are not deep enough for full-length servers, which results in full-length boxes blocking said power strip AC outlets. 42U rack, but only 6 or 7 AC outlets usable (unless you spaced your servers in a peculiar way, wasting about 1/3rd of your entire rack).
One word: ghetto.
When you consider all of the above, no one in their right mind should be surprised they were hosting a kiddie porn/spam/shady customer. "Build it and they will come".
Parent
Re:ISPs are clueless? (Score:5, Interesting)
So, I don't mean to be a dick here or anything, but you had those kinds of problems with a vendor you were using as a data centre not just once, but over a timespan measured in YEARS.
While you anecdotes indicate that HE does have problems, I think the bigger concern is that they have customers who put up with those problems. What golden nugget are we missing? Do they have higher than normal payouts for failing to meet SLAs?
Parent
Re:Not Just Spam (Score:5, Insightful)
I certainly hope The Washingto Post doesn't have to do the job of the Federal Authorities in the future.
I think this quote down on the third page was probably the best, from a Trend Micro researcher (emphasis mine):
Parent
Re:Not Just Spam (Score:4, Insightful)
The "federal authorities" cannot be everywhere at once. If you see a man getting beat by another man, do you just stand by and wait for the police to show-up 30 minutes later to collect the body? Of course not. You and your fellow citizens act to stop the abuse.
What happened here is no different. This reporter noticed an illegality, collected evidence, and then took action (called the ISP) to see if he could stop it. Later on, he will provide the evidence to the government.
Parent
Re:Not Just Spam (Score:4, Funny)
If you see a man getting beat by another man, do you just stand by and wait for the police to show-up 30 minutes later to collect the body?
Well lets not get ahead of our self here. Depends on why the other man is kicking his ass. If the one getting his ass kicked is known child molester and the one doing the ass kicking clams that he has molested his daughter, I would be more inclined to pop open a cold beer watch the show. In the case of a known spammer I might be even willing to lend a hand.
Hell, I was at a fight a few weeks ago that I paid 50 bucks to see....
Parent
Re:Not Just Spam (Score:5, Insightful)
Even child molesters have the right to not be beaten to a pulp. For one thing, the *alleged* child molester might be falsely-accused and completely innocent. Such judgments should be made in a neutral environment by due process of law (court system), not by people on the street. Therefore I would act to stop a so-called molester from being beaten - you can take him into custody without turning him into a corpse.
Discussing this issue reminds me of the guy who was beaten in Chicago(?) and then just left to lay there and suffer, while thousands of people walked past him & ignored his plight. You don't just "let the government help him". You use your individual liberty to take the initiative, call an ambulance, and help stop the bleeding.
Parent
Re:Not Just Spam (Score:5, Funny)
When seconds count, the police are just minutes away
Parent
Re:Not Just Spam (Score:5, Insightful)
Well, besides the USSC ruling that the police are not obligated to protect/defend you, or come to your aid, it's one of those "basic human decency" things. I don't know if I'd use the word "responsibility," but a decent person probably wouldn't say "meh, not my problem" and walk away.
I've never understood the "you can't defend yourself or stop a crime in progress, that's the police's job" mentality. I mean, are we supposed to sit there and be dependent on daddy government for every single thing? Yes, if the police are there and doing something about it, stay out of their way unless they ask for your help. But if they haven't gotten there yet, do something about it!
Parent
Re:Not Just Spam (Score:4, Insightful)
Be careful what you wish for.
I'd like to suggest quite the opposite, that this is the way it should be. Do not trust the government to protect your interests in this regard. Time and time again they've been proven slow, incapable, and even corrupt.
Meanwhile, it is private groups, reporters, etc. that keep things in check. While this system is far from perfect, it's certainly better than the government as the sole "protector" of our interests.
Parent
Re:Not Just Spam (Score:5, Insightful)
Parent
Re:Not Just Spam (Score:5, Insightful)
Did you just fill that in at random, or what?
Parent
Re:Not Just Spam (Score:5, Insightful)
I don't see how providing evidence to the government is "vigilante justice". On the contrary it is government justice which is what government is there to provide.
Parent
Re:Not Just Spam (Score:5, Insightful)
>>>>>The government is not your daddy. Its purpose is not to raid middle-class neighbors' wallets and give it to the lazy.
>>... nor is its purpose to raid lower- and middle-class people's wallets and give it to the rich...
No shit Sherlock. The common flaw with any of these actions is this - it's theft. Which is why I was strongly opposed to the 700 billion THEFT of taxpayer dollars to give to rich Wall Street fat slobs. And why I voted-out the politicians who voted "aye" to the bill.
Parent
Re:Not Just Spam (Score:5, Insightful)
Of course, one could say screw the system, let the world burn, but the problem is, once the fire goes out, the same rich fat slobs shall crawl out of their lairs and take over the world again, just as if nothing happened.
One more thing: I'm not a US citizen, so I might be wrong on who woted "aye" to the questionable bill, but I seem to remember, that it was just about everybody and their dogs (at least in the second round). So, whom did you really vote out?
Parent
Slashdot can shut down spammers, too (Score:5, Funny)
Just give us an IP address linked in the summary. That's all we ned.
Re:Slashdot can shut down spammers, too (Score:5, Funny)
Killjoy.
We can dream can't we?
Parent
good job! (Score:5, Funny)
First they shut down McCain, now McColo. Next up: McDonalds?
Re:good job! (Score:5, Interesting)
Seems like McD is moving quick:
http://inventorspot.com/articles/mcdonalds_japan_goes_nobrand_with_quarter_pounder_shops_19505 [inventorspot.com]
Parent
Re:good job! (Score:5, Funny)
Parent
Oblig. (Score:5, Funny)
http://craphound.com/spamsolutions.txt [craphound.com]
Re:Oblig. (Score:5, Funny)
More like:
Your post advocates a
(x) technical (x) legislative (x) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won'... Holy crap how did you do that? 75% of all spam!? So much for it being botnets causing it! Congratulations!
Parent
As long as there is money in it... (Score:5, Insightful)
the spam will flow. It's the old "balloon dog" effect. Squeeze it in one place and it balloons in another. The ONLY way to attack this problem is to go after the advertisers who are willing to use spam as a medium to sell product.
Re:As long as there is money in it... (Score:5, Funny)
the spam will flow. It's the old "balloon dog" effect. Squeeze it in one place and it balloons in another. The ONLY way to attack this problem is to go after the advertisers who are willing to use spam as a medium to sell product.
I think we need to go after the clowns making the balloon animals!
God, I hate clowns...
Parent
Re:As long as there is money in it... (Score:5, Insightful)
So how do you set up a system where people can still be anon(even if the government issues some warrents) but held accountable for spam?Got any protocols which allow that?
Parent
Re:As long as there is money in it... (Score:4, Interesting)
I use GMail with email addresses on my own domain (and it's free!)
The only downside is having only 7GB of mail storage space.
GMail's spam filtering is indeed second to none, I'm piping one of my old yahoo accounts through to my new address, and yahoo lets a few spams through per day, and then gmail blocks all of those.
Parent
Wow (Score:4, Interesting)
Sigh (Score:5, Funny)
Re:Have no fear! (Score:4, Funny)
For erections lasting more than 4 months, see a mason.
Parent
is it morally right to DDoS spaming ISPs? (Score:5, Interesting)
Re:is it morally right to DDoS spaming ISPs? (Score:4, Interesting)
Interesting. So it's up to me whether it is good or bad to eat broken glass.
Look, since your mission is to undermine everyone's certainty, at least do it right. The one part of morality that is completely subjective is the discount rate, which is the time horizon that you set for your outcomes. Most things are good in the short term and bad in the long term, or vice versa, or some mixture. Nobody anywhere has yet figured out any rule for choosing or weighting one's time horizon.
Indeed, probably most political disagreements are really disagreements over time horizon. E.g., stay in Iraq? It's all about how far into the future you look for justification.
Parent
Recomment (Score:5, Informative)
"Brian - Well done, and well reported. For the user who asked about reporting news versus creating news, you misunderstand Krebs's reporting. Like most good reporters who write big stories, he either got tips or analyzed data regarding spam and cyber-security. It probably was a combination of both. If he determined from his research, reporting and analysis that this data was coming from one place, he did not create a story by informing the spam host's business partners. Rather, he sought comment from them about this site, and they took action. What Krebs reported is not a big a story as Watergate, but what do you think Woodward & Bernstein did? Wait for a press release? A regulatory filing? No, they took one news event, worked backwards from it, and determined that something big was going on -- just like a spammer. Then they wrote about it, just like Krebs did. When Henry Blodget on Silicon Alley Insider wrote that The New York Times Co faces several possibilities for survival, he did not tap into a planned news event. He analyzed a balance sheet and made conclusions. Much of the news that comes out is because beat reporters see connections and draw conclusions that are not opinion, but reasoned and accurate viewpoints based on evidence out there that resists coalescing into a larger news event because most of us don't get it. That's why we have journalists, and this is a great example of that. And now for the full disclosure: I'm Robert MacMillan. I am a reporter at Reuters who covers the journalism business, and I worked at washingtonpost.com for many years with Brian. I sat right across from him so I know what he eats for lunch. Posted by: easymac | November 11, 2008 9:45 PM "
Better to NOT shut them down? (Score:5, Interesting)
When it comes to these sorts of things, oft times law enforcement and intelligence agencies who know about a source of major operations DON"T shut them down, so as to build a case against the bigger players or to maintain the ability to track what is going on. Given that this is a US-based corporation with US-based servers, I wonder if this shutdown has seriously compromised on-going monitoring and criminal cases. While this has almost certainly seriously disrupted operations of the various bad guys for now, I would give it only a few days before they're back online based at overseas locations where they're less easily reachable. Except for some script kiddies, the operations are all sophisticated enough to use standard techniques such as multiple hardcoded fallback IPs. DNS redirection, and using fake BGP announcements to hijack IP blocks to get back online.
--Paul
Re:Better to NOT shut them down? (Score:5, Insightful)
As for the other stuff, in a world scripted by Tom Clancy the supervillians simply switch to their backup systems. However in reality shutting down something that has taken a long time to establish can stop them for a long time and can open them up to exposure when they are trying to do it again.
Parent
I wonder what made them turn? (Score:5, Funny)
This is their AUP from 2005 (Mccolo.com)
Acceptable Use Policy (AUP)
All Maxis' Commerce colocation or dedicated server customers are bound by the following Acceptable Use Policy. This document may be updated from time to time. Please consult this site periodically for the most recent revision of this document.
No Maxis' Commerce customer shall:
Do anything illegal or anything that adversely affects Maxis' Commerce legal interests. The following list is non-exclusive, and should not be considered license to commit other illegal activities not specified below. All illegal activity is prohibited, and Maxis Commerce will cooperate fully with any law enforcement officials and/or agencies investigating and/or prosecuting such activities.
Cracking/Hacking - attempts to access accounts or systems other than the userâ(TM)s own accounts or systems or an account or system that the user has been explicitly authorized to access is illegal under federal and state law.
Child pornography - as defined by U.S. law. This is strictly prohibited and dealt with quickly and harshly.
Interstate gambling - because Internet traffic generally ignores state and country boundaries, any Internet based gambling site is restricted by Federal Inter-state gambling regulations.
Pyramid schemes or fraud - are illegal under a number of Federal, State and Local laws.
Theft of services - attempts to utilize services that are not contracted for is considered theft and will be dealt with as such.
Harassment - use of Maxis' Commerce network to harass or threaten (in the legal sense of those terms) any other person is prohibited.
Please consult an attorney if you are unsure of the legal status of your activities.
Do anything that threatens the integrity of Maxis' Commerce network or the utilization there of by other persons.
Denial of Service (DOS) attacks - no customer will commit a DOS attack against any Maxis Commerce customerâ(TM)s host, or any other host on the Internet. Similarly, no Maxis Commerce customer will willfully or negligently allow incitement of others to attack any host on Maxis' Commerce network, or any other host on the Internet.
Blacklists - No customer shall do anything that could get any portion of Maxis' Commerce IP space (or address space announced by Maxis Commerce on behalf of Customer) put on blacklists such the RBL (Realtime Black List) as maintained by MAPS (http://www.mail-abuse.com) or other similar organizations, or perform activities that would cause portions of the Internet to block mail or refuse to route traffic to any portion of Maxis' Commerce IP space (or address space announced by Maxis Commerce on behalf of Customer).
Perform actions that cause unusual load on Maxis' Commerce servers (for example, mail servers, web servers, usenet servers, name servers, etc.), that cause slowness or denial of service to other Maxis Commerce customers.
Do anything that threatens the Internet or any other network.
No customer shall take actions that cause any portion of the Internet, or the Internet as a whole, to become unusable to any other portion of the Internet, or the Internet as a whole.
No customer shall take actions that degrade the usefulness of the Internet, or any portion of the Internet, either through network degradation, flooding of usenet or email or so on.
Spam - No customer shall send unsolicited commercial email, unsolicited mass mailings, spam or flood usenet newsgroups, or anything of that sort. If you have questions about what is allowed and what is not, please email abuse@mccolo.com for clarification.
No spam may originate from Maxis Commerce IP space.
No spam may advertise sites or services located on Maxis Commerce IP space (even if the spam originates elsewhere).
No Maxis Commerce customer shall use third party mail servers to relay spam. This is considered a DOS attack on the third party and will be treated as such.
No customer shall participate in pyramid schemes
OMFG!! (Score:5, Funny)
My personal experience (Score:5, Interesting)
All well and good, but... (Score:4, Interesting)
...once the folks who sell spam and porn find a hosting provider who turns a blind eye, they tend to stick with it and consolidate their operations. Paying attention to Spamhaus and the more reliable botnet trackers tells me where these operations are located, and helps me write good gateway filters for my employer, my house, and my friends. Cutting off internet access tends only to disperse the nere-do-wells rather than stop them, and I have to start over again tracking and writing new filters. In other words, I like to know where these guys hang out so I can avoid them, the same way I avoid the riff-raff in the physical city where I live.
I think its great that someone is doing something about the problem, but I don't think it should be the ISP. We already have laws against spam and certain porn, and it should be up to the government to enforce those laws. Vigilantism is never the answer.
The tried-and-true way works: if you have evidence, take it to the police. If the police won't do anything, take it to the press. Sure it takes a little longer, but it keeps - in this case your internet connection - safe from the Random Crusader. And the criminals may actually get arrested.
Spamcop shows a big dip.. (Score:5, Informative)
This shows a dramatic reduction in spam [spamcop.net] as of yesterday 4PM EST.
Will be interesting to watch it climb back up....
Re:Spamcop shows a big dip.. (Score:5, Informative)
More importantly: http://www.spamcop.net/spamgraph.shtml?spamweek [spamcop.net]
This shows the difference between today and the rest of the last week. The month version looks largely the same... Spikes every day until today, which is low.
Parent
IronPort reports 66 percent drop in spam Tuesday (Score:5, Interesting)
Re:Hosting Child porn? (Score:5, Insightful)
I have come to the conclusion that it must be impossible to engage in any criminal activity which does not somehow involve child porn, as it seems to me that all stories of illicit behavior include accusations of trafficking in child porn.
Parent
Re:Hosting Child porn? (Score:5, Funny)
Welcome to Casual Conversation. Many of you may already know this, but Casual Conversation is not Wikipedia. Wikipedia rules such as requiring citations and not allowing original research do not, in fact, apply here. This may be confusing to first-time users, but we hope you will soon adapt and find out the joys of Casual Conversation.
Enjoy your stay!
Parent
Re:BS. Not by volume. (Score:5, Informative)
RTFA. The ISP in question hosted the control points for the botnets which generated the spam. They didn't need crazy bandwidth, just solid hosting.
Parent
Re:BS. Not by volume. (Score:4, Interesting)
Ok, I did RTFA that slashdot posted too, but not the link inside the article. The initial article didn't mention anything about botnets and made it sound like it was the source of the spam.
What I don't like about this is that it gives normal people a false sense of security about the whole issue. The real issue is that governments aren't cracking down on people within their borders causing these problems including the U.S.
The Washington Post is not a security agency, they are a news agency. And when they do stuff like this they don't really have the right motives. Its just like those investigative reports that your local news channel does.
Slimy business practices have a way to continuing on despite everything, so in the wake of McColo it won't be long before we have a Colo King.
Parent
Re:How much spam? (Score:4, Interesting)
So, how much spam does everyone get each day on average?
Well, according to my mail logs, my mail server that currently provides mail service for myself in the past 8 hours:
Has blocked 2879 messages, based simply on the IP address, using RBLs.
Has blocked 1013 messages, based on some early tests in mail delivery.
Has passed 176 messages on for further filtering, with my address. I haven't checked how many were to my wife or to invalid addresses. Typically that's several hundred an hour.
The next level of filtering:
Dropped 18 messages completely.
Filed 127 messages in the "probable spam" box, where they will be deleted within a week.
Delivered 31 messages to my home server.
Of those messages, about half of those were filed as "spam" by Apple's Mail.app.
That's pretty low by my standards. Good work.
Parent