Manage Learn to apply best practices and optimize your operations.

With McColo shut down, has spam decreased?

Expert Michael Cobb explains how the shutdown of the San Jose-based Web hosting service provider actually impacted spam levels.

Did the McColo shutdown actually stop spam?
For anyone who missed the story, McColo was a San Jose, Calif.-based Web hosting service provider. It was shut down in November 2008 by its upstream providers -- larger ISPs that provide Internet access to smaller ISPs -- as a significant amount of spam, malware and botnets had been emanating from the McColo servers. In fact, it was estimated that McColo's customers were responsible for a substantial proportion of all spam email at the time. Almost overnight, spam volumes dropped and subsequent reports reckoned global spam volumes had decreased by around two-thirds or more.

This drop in spam was mainly due to the impact that the shutdown had on controllers of six major botnets, including one of the world's largest, Srizbi. Experts put the size of this botnet at around 500,000 machines and estimated that is supposedly capable of sending around 60 billion spam messages a day -- more than half of the global total. Interestingly, one reason for the initial spam decrease was that a number of emails were discarded because they were sent to non-existent addresses dropped to a fraction of its usual level. This could mean that levels of other spam email were still relatively high.

Sadly, spam levels have slowly crept back up. By January, MessageLabs Inc. reported spam volumes at about 80% of pre-McColo takedown levels; Symantec Corp.'s April 2009 spam report said that volumes were, in fact, back to pre-takedown levels. Google has also reported similar findings based on the millions of inboxes it manages. This fall and rise of spam after a takedown demonstrates a common pattern; when another ISP, Intercage, for example, was taken down, it created only a brief decline in spam activity as botnet controllers simply found new "unscrupulous" providers.

However, following the McColo shut down, it does appear that controllers are adopting new strategies to avoid a similar hit on their operations. One tactic is to not run their botnets at full capacity, which avoids exposing a new ISP as a target. Some are even using peer-to-peer technology to send instructions between computers rather than having a single command-and-control computer communicate with all of their bots.

Obviously, the takedown of McColo was a good thing, even though the reduction in spam was only temporary. It took spammers only four months to get their botnets back up and running. Worryingly, there's now a rise in the amount of spam with malware attached. McColo was a small victory, but the war is still very much ongoing. With 85% of all email traffic thought to be spam, we certainly need more victories.

This was last published in August 2009

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.