McColo up again, down again

While the take-down of McColo received a lot of attention in the last few days, it seems not everyone was listening: the company came back online yesterday for a while thanks to TeliaSonera AB, a Swedish ISP that has a router in San Jose:

Traceroute to McColo during their brief peering with TeliaSonera

Apparently those responsible for hooking up new customers at TeliaSonera don’t read security blogs. That said, the company does deserve props for its rapid response to complaints: I emailed their abuse@ address yesterday evening, received a reply a few hours later from Jimmy Arvidsson — the head of their security department — saying they were taking action to revoke the peering, and when I started work in Vancouver this morning McColo was down again. It’s great to see such a rapid result from a complaint to an ISP!

Security researcher Atif Mushtaq also complained to TeliaSonera, though as his later blog post indicates, we were both too late to prevent the Rustock guys hurriedly pushing an update to at least some of their bots, switching them from McColo to a new host in Russia during the brief period of connectivity. Thus we should expect spam volumes to increase again soon (Rustock is estimated to be capable of sending 30 billion spams per day), though how big an increase we’ll see depends largely on the number of zombie PCs the botnet’s controller was able to reach during McColo’s temporary resurrection. For now, though, volume on our spamtraps is still hovering around a quarter of what it was before the take-down:

SophosLabs' spamtrap volume still low