The recent shutdown of a San Jose-based Web hosting company named McColo.com appears to have resulted in a significant short-term drop in spam traffic worldwide. At approximately 21:30 GMT on November 11, 2008, multiple upstream network providers shut down access to McColo.com hosted systems, based on abuse complaints. One of the results of this action was a quick and dramatic decrease in spam sent worldwide.
The volume change could be measured directly in the Symantec probe network, which saw a 65% drop in traffic when comparing the 24 hours prior to the McColo.com shutdown to the 24 hours after. It is interesting that shutting down a single hosting company could have such a large impact on overall spam volume, but when you consider that McColo.com was allegedly hosting a significant number of botnet command-and-control systems, it is not totally surprising. Their IP range has, in the past, been linked with reports of serving up Rustock downloaders and also for controlling the spambot component. Simply performing a Web search of the addresses associated with this range returns write-ups from several security company vendors, and all of the articles are related to Rustock. By cutting the link between these systems and the bot-infected machines they control, the ability to send spam from botnets such as Rustock and Srizbi can be significantly impacted. The speed with which spam volumes decreased also demonstrates the fact that while botnets are becoming increasingly robust, there are many that can still be impacted by losing a critical command-and-control link.
However, this decrease in spam volume will not be sustained and it is certain that while this battle may be won, the spam war is not over:
• Command-and-control systems will be re-established and more importantly, this event may drive spammers toward the continued use of peer-to-peer botnets, which are generally more resilient.
• In this turbulent economic climate there may be other hosting companies around the world who might be willing to facilitate this sort of spam activity. In October, Symantec reported that the presence of active zombies around the world was shifting. Turkey, Brazil, and Russia are the top three countries hosting active zombie machines. The U.S. comes in at fourth place, hosting six percent of active zombie machines.
• Historically, the end of the calendar year sees a large increase in spam volume, often driven by the holiday season.