This morning when I dropped by the spam analysts’ work area for my daily check of “what’s new in spam” I noticed they were in a bit of a tizzy. Spam levels had dropped from their usual high levels and they were looking for the reason why.
We’ve seen spam levels growing pretty steadily over the past few years. So any sudden drop in spam tends to raise the red flags around here.
While some members of the anti-spam team immediately started checking anything that could have possibly gone wrong in our data centers, another enterprising analyst started searching the Internet to see if perhaps something in the outside world had influenced this change we were seeing. He came across Brian Krebs scoop in the Washington Post blog, which describes how backbone providers took McColo offline, McColo being the
San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today.”
Could it be possible that this single event was responsible for the drop we were seeing? I, personally, found it hard to believe. We’ve seen numerous spammers criminally prosecuted, taken offline, etc. etc. etc. but it hardly ever seems to cause even a tiny blip in our spam graphs. Or if there is a blip, it is immediately swallowed up by all the other big-time spammers out there. In this case, the Commtouch spam analysts reported several hours of spam levels that were meaningfully lower than what they were accustomed to.
But after checking, and re-checking multiple times, Commtouch’s spam analysts and operations team reached the only possible conclusion – that there is nothing wrong at the data center, there is, in fact (at least temporarily), less spam.
McColo is the owner of scores of nasty domains, including things like “viruslivescan.com” which installs spyware while purporting to scan your computer for viruses, and lots and lots of pornography sites. A random test of some of their known domains showed that they were offline.
It’s a major win to take down such a vile network of spammers. The main question is, when and where will they pop up again? Because you know this won’t put them out of business for long. We’ll be monitoring the trends and if we see anything worth reporting (or even just kind of neat) we’ll post it to let you know.
By the way, Brian Krebs published an update to his earlier blog post, here.