McColo and SPAM

It would seem that the sources of SPAM have merely moved since McColo
was shut down and it's going to
take some time for everyone's blackhole routes and RBL's to catch up.
I have personally noticed a higher
delivered spam content in my own email accounts.

Peter

McColo hosted the command and control servers for spam botnets and didn't originate spam directly, at least primarily, according to my understanding.

- S

That is correct. Srizbi and Rustok, primarily.

Certainly, I have seen a perceptual, yet completely subjective increase.

I know major operators who have claimed to see a gigantic decrease.

Peter

We experienced exactly no decrease with the McColo shut down a few weeks
back, even though we receive 2M+ messages per day. It's interesting that
each service provider's spam populations are as different as they are. Some
experienced gigantic decreases, others didn't. And it's not like we have
just one domain.

I know MessageLabs examines spam rates per industry type.

Frank

We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it mirrors spamhaus amoungst other things.

The numbers are in 1000s of 1000s per 5 minute window. (so 2500k = 2.5m)

You can see a dramatic decrease that corresponds with them going offline and then the spam level gradually coming back, but it's certainly not back full tilt yet.

Paul

Paul Kelly
Technical Director
Blacknight Internet Solutions ltd
Hosting, Colocation, Dedicated servers
IP Transit Services
Tel: +353 (0) 59 9183072
Lo-call: 1850 929 929
DDI: +353 (0) 59 9183091

e-mail: paul@blacknight.ie
web: http://www.blacknight.ie

Blacknight Internet Solutions Ltd,
Unit 12A,Barrowside Business Park,
Sleaty Road,
Graiguecullen,
Carlow,
Ireland

Company No.: 370845

aggregate-month.png

McColo was just an exercise in "managing" cyber crime operations in the
U.S.

Please do not be distracted by the whole "spam" issue, it's just a
byproduct of much larger criminal operation.

What this community should really be discussing is how to deal with these
issue in a collaborative manner, because that is exactly what is need to
combat it.

$.02,

- - ferg

Paul,

I read Gregg Keizer's piece in CW where FireEye's Fengmin Gong is quoted as "We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."

Now interposing on the Srizbi system's attempt to communicate shouldn't be signing up to do an unlimited number of $6 buys from VGRS plus the overhead to ICANN and a registrar, after all, it is likely that Srizbi isn't using real money to do its domain buys ... so I wrote to the dead mailbox at Gong's company to ask for numbers, and if anyone in the registrar/registry business units knew why Gong's company was doing a couple hundred buys, and what T&C they were offered to keep Srizbi disconnected ...

No response.

How many domains did FE register, through which registrar(s), and at any point did FE represent to the registrar(s) or to the registry (or registries) the purpose of the buys was to keep Srizbi disconnected? If the registrar(s) or registry(ies) were informed of the purpose of the buys, what response, if any, did they make to FE's representation?

I want to know what FE's burn rate was in prophylactic domain buys, and who told FE to let Srizbi resynch its C&C nodes with its bots. I will discuss what I learn to the ICANN GNSO Council. If Keizer's even remotely correct on this point, then this is a "should never happen again" scenario where the GNSO can mandate registry, and registrar responses.

So yeah, collaboration would be good, but FE ain't taking my mail, so if this is ever going to go to registrar/registry policy land, it will have to find its own way there. We just lost the unlimited 5 day "Add Grace Period" due to domainers and (some) registrars using it for tasting, and carving out a "prophylactic grace period" for things like this is possible, so that it becomes a no-charge to the interposing buy engine.

my two beads worth,
Eric

Paul Ferguson wrote:

What's very interesting to me is the very rhythmic peaks-and-valleys you show... Seems to go up every day, down during the night; gradually rising mon-wed, slight drops thurs-fri, and then big drop sat, lower drop sun, and then jumps back on monday.

The reason for that is our legit e-mail traffic pattern I guess. We probably see the same level of spam 24/7 but from 8am to 8pm GMT we'd get a lot of legit traffic from the few 100k pop3/imap/smtp users we have and as such you'd see the peaks and troughs caused by their usage.

Primarily they'd be Irish, but we'd have 10% or so in the UK/Rest of Europe aswell, so they'd fit in with the 8-8 peaks.

Paul

Paul Kelly
Technical Director
Blacknight Internet Solutions ltd
Hosting, Colocation, Dedicated servers
IP Transit Services
Tel: +353 (0) 59 9183072
Lo-call: 1850 929 929
DDI: +353 (0) 59 9183091

e-mail: paul@blacknight.ie
web: http://www.blacknight.ie

Blacknight Internet Solutions Ltd,
Unit 12A,Barrowside Business Park,
Sleaty Road,
Graiguecullen,
Carlow,
Ireland

Company No.: 370845