Alleged Silicon Valley spam source taken down; global spam volume drops 75%

A critical piece of at least one spam gang’s cyber-crime infrastructure was allegedly taken down Tuesday following a four-month-long investigation by the Washington Post, leading to what multiple sources cited by the Post describe as an immediate approximately 75% drop in global spam volume.

The take-down of San Jose-based hosting company by two of its upstream providers occurred at 16:23 EST yesterday, according to a security researcher who was actively monitoring their systems at the time. A similarly dramatic drop in connections to SophosLabs’ own spamtrap mail servers can be seen in the chart below, which plots connections since midnight Monday:

Spamtrap connections to SophosLabs' spamtraps vs. time

The same precipitous decline is evident in similar charts accompanying the Post‘s article.

The company is alleged to have been hosting command-and-control (C&C) mechanisms for a number of large botnets, perhaps including Rustock, Srizbi, Dedler, Storm, Mega-D and Pushdo. When considered together these botnets are estimated to contain over 600,000 infected home computers capable of sending more than 100 billion spam emails per day, according to Wikipedia’s entry on botnets. Indeed, security researchers at have been tracking McColo for considerable time: in their latest Cyber Crime USA report they claim the company “has a key role in managing world’s major botnets, and malware warehousing, which has been estimated as partially controlling 50-75% of the world’s spam.”

While it’s currently unclear what action — if any — may be taken against the company, if it turns out to be true that the massive decrease in spam volume was indeed caused by the take-down then the result is encouraging for two reasons:

  • Despite the recent reported shift by botnet operators from centralized IRC- and HTTP-based C&C architectures to a more elusive peer-to-peer (P2P) model, it appears a large majority of extant spam-sending botnets still exhibit single points of failure that expose them to catastrophic damage by well-placed counter-attacks; and
  • Significant success can be achieved by defenders of the global email infrastructure through complaints to those who provide Internet connectivity to so-called “rogue ISPs”. While it’s true that researchers (likely the same credited as “the security industry” in Post reporter Brian Krebs’ blog entry on the topic) have complained to McColo’s upstream providers in the past with no apparent effect, the most egregious offenders cannot escape mainstream notice indefinitely.

Security researchers should take heart that their efforts do not go unrewarded, and should work harder to develop closer relationships with major media outlets. And it seems — for now, at least — that the level of sophistication atained by major spam gangs may have been significantly overstated.