So Long McColo Lows, Oh Well

By Matthew Hines  |  Posted 2009-02-07 Print this article Print

Well, here's what we learned from the McColo experiment that was so cleverly pulled together by Washington Post blogger Brian Krebs and some other smart folks in the name of stemming malware-laden spam e-mail - attacking spam at its source can work, but, seemingly, not for too long.

When Krebs et al convinced upstream Internet access providers to cut off services to shady hosting services provider McColo in late November 2008, spam rates fell dramatically, anywhere from 50-75 percent worldwide depending on whose estimates you believe.

But, just as experts began to predict just a few days after the massive coup, it now seems as if the takedown's positive effects have been relatively short-lived. Symantec, for one, reported earlier this week that it is again seeing the same volumes of unsolicited e-mail that it was tracking before the anti-McColo effort was launched.

To anyone who has listened to people like Arbor Networks' researcher Dr. Jose Nazario talk about the hydra-like distributed control mechanisms being embedded into the botnets responsible for generating much of this content, and the effect to which that innovation has made it such that no matter which command and control machines you take out on those networks, there's almost always another waiting to take its place, it's pretty clear this problem has transcended "epidemic" and segued into "utterly catastrophic."

We now have to ask ourselves, in light of spam's recent resurgence, even if we could get all the major Internet service providers of the world to choke off registrars and the like who are clearly abusing their services and generating all of this spam and malware, would that even stop the problem?

The McColo takedown had a powerful, immediate and stunning effect. But even if you shut down all the McColos of the world, wouldn't the bad guys simply find a new place to hang their hats, and fairly quickly at that?

It's certainly interesting to ponder.

I'd love to see all the nefarious players openly identified by people like KnujOn, Spamhaus and others squeezed through some concentrated and coordinated effort to have a super McColo-like effect. The in-box and junk mail sfolder silence worldwide would be a pretty cool thing to observe. But who will be the ones to pull this off anyway? Researchers? The government? It's not clear.

And, how long after someone pulls that type of thing off, if they can, before the spammers just creep back onto the scene as they always seem to, the ubiquitous marching ants that unflaggingly reappear each Spring to spoil society's feast at the Internet picnic?

Seems like not long.

So, whatever happened to sender authentication? Oh yeah...

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel