TrustedSource™ Blog

Krebs Spam Takedown Service

There are a number of companies in the security industry that specialize in quick and efficient takedown of malicious sites (primarily focusing on sites that are hosting phishing webpages that attack their customers). But this week, Brian Krebs, an investigative technology reporter from the Washington Post, singlehandedly accomplished something that had never been done before - he nearly killed email spam! Well, at least reduced it by as much as 65% for a couple of days.

A few months ago Brian began an investigation of the key infrastructure providers for the online cybercrime scene. This investigation had led him to the identification of companies like Atrivo, a California network provider which had a wide range of cybercriminal activity emanating from its networks, EstDomains, a domain name registrar that has allowed cybercriminals to register hundreds of thousands of domains tied to a variety of online crimes, and this week’s latest addition to that list - McColo, another network hosting provider.

Not content just with shining a light on these dark areas of the Internet through his reporting, Brian has also worked proactively with network carriers to shut down network access to these hosted providers, effectively booting them off the Internet, and as was the case with EstDomains, achieve its de-accrediation as a registrar by ICANN.

After Brian’s latest foray into Internet security with McColo’s Internet lockout on Tuesday, Secure Computing’s TrustedSource registered almost a 65% drop in global spam traffic. In the chart below you can see the decline in volume starting on Tuesday afternoon (EST). By Wednesday afternoon, however, the spammers rebounded with a rally and levels were only 50% off normal traffic flow 24 hours after the shutdown. The rise had continued on Thursday, although spam levels are not yet back to normal levels.

The reason for this decrease was due to the large numbers of Command and Control spam servers (C&Cs) located on McColo’s networks. Those servers are the ones that control millions of compromised zombies that are responsible for the vast majority of all spam sent worldwide. When these servers had gone offline, the zombies effectively lost the connection to their ‘brain’ and were no longer able to send out spam by themselves.

During these past 2 days, we had observed the absence of political spam (featuring president-elect Obama, Senator McCain and their spouses) that included links to Canadian pharmacy websites. This political spam didn’t cease with the end of the election season but had continued to grow, primarily in the direction of exploiting party conflict and “shameful pics”.

Enlargement spam and loan spam took a noticeable volume drop. Some of the spam titles that started to disappear on Tuesday were:
Drunk Barak after elections
We have your shaming pics.
The truth behind 9 inches
Michelle Obama nude
McCain strike against Obama political way
Goodiest p_i_l_l_s
Colon Cleanse
6% Guaranteed 6 Yrs!

However many of the spam subjects that had abruptly disappeared on Tuesday afternoon, have now again began to reappear. It should also be noted that we have not noticed any decreases in the numbers of new malicious websites that TrustedSource detects appearing online daily but recorded increases that are consistent with past daily trends.

So enjoy this spam holiday courtesy of Brian Krebs while it lasts. We believe that within weeks the spammers will find new locations for hosting their infrastructure and that levels will return to ‘normal’ highs that we typically see during the holiday season.

Back to TrustedSource™ Blog overview