Spam has yet to recover from McColo shutdown

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Spam has yet to recover from McColo shutdown

Orange (CA) – One week after the takedown of McColo, hoster of a major spam hosting network, spam levels remain at a relatively low level, security experts from Marshal8e6 said today. However, they also believe that spammers are setting up a new infrastructure and it may be just a matter of time until spam levels go back up.

Marshal8e6 did not provide specific information on current spam level estimates, but stated that last week’s events are still impacting spammers. With the McColo network shutdown, the number of spam emails sent showed a sudden drop of about 70%. McColo was hosting the command and control infrastructure for three of the world’s most prolific spam botnets: Srizbi, Mega-D and Rustock. Marshal8e6 believes that only a “handful” of botnets are responsible for about 90% of the global spam volume.

While the shutdown is considered a major blow to some spammers, it seems as if it is just a matter of time for the botnets to resurface.

“Unfortunately we do not expect this situation to last,” Phil Hay, lead threat analyst in  Marshal8e6 Trace team. “There is no doubt that spammers are already setting up new command and control servers. The challenge for them is to re-establish connections with the thousands of zombie computers still infected with their bot code. We fully expect spam will resume in large volumes eventually. However, almost a week later, the spammers haven’t managed to do that yet.”

In fact, McColo has agreements for a backup Internet connection with Sweden’s TeliaSonera in place. According to a report over at Ars Technica, McColo reconnected via TeliaSonera last Saturday and started the update of its servers.

Marshal8e6 says that the command and control servers play a critical part in managing the hundreds of thousands of infected bot computers, also referred to as zombies. “An infected bot computer typically ‘phones home’ to the control servers periodically to get updated instructions and spamming templates. By shutting down McColo, the link between the zombie computers and their control servers has effectively been cut off for now,” Hay explained.

In the end, the decrease in spam levels may only have a short term effect, according to Hay. In the long term, spammers are likely to learn from the incident and improve their infrastructure. “They may adopt a more resilient peer-to-peer or layered model where control servers are harder to access and spread among many hosts. Only time will tell if these botnets recover. The key thing is that the IT security and law enforcement communities learn from last week’s events as well,” Hay said.