Drop in reporting

[Lking]

Just noticed the drop in message count. Did spammers take Veterans day off?

Nothing sinister I'm sure. Like the sum of other unrelated events, just interesting.

[Lking]

I wonder if there is a correlation with this Washington Post article?

Nature hates a vacuum so I'm sure someone will file the void.

[dra007]

same here, I am sure its just a fluke as much as I wish this was permanent.

[Geek]

You fellas are lucky!

No drop in spam here and we also had our worst day for distributed crackbot attacks

[Lking]

I wasn't talking about my spam level. I was looking at the SpamCop Statistics graphs at the top of the page.

If you look at the last 24 hrs of SC data, the maximum number of messages/sec is less that the daily minimum for the last week.

Like you I haven't seen a 50-70% drop.

[Farelf]

...I wonder if there is a correlation with this Washington Post article?...

I would say so, the evidence seems quite compelling - noting also that article contains the SC daily stats chart frozen to show the result which you were talking about in the first post (a useful datum).

A drop can be just/also the reporters taking a holiday but the IronPort commentary quoted in Brian Krebs' WP article indicates a real drop, to the extent that their monitoring - and the SenderBase query correlate - are representative. Then there's the 'security experts' who are said to sheet home reponsibiliy for 75% of the world's spam to the now unplugged McColo Corp.

My own spam received on one account increased (it is minimal anyway) but on another decreased (by 75% to 25% - though such a result is not actually statistically significant on the moderate numbers involved). Instead of being an actual reflection of reduced spam, the reduced numbers to that account could be all or some of

• random fluctuation or
  
• to do with ISP filtering
  
• due to unaccounted (non-random) factors
  

- except there is that alternative explanation that the amount sent actually declined, as documented, so that explanation should be accepted by the rule of parsimony. Reinforcing such a circumstance, there is possibly a flow-on to ISP filtering (where it exists) when traffic is reduced (increased efficiency due to less stress, maybe fewer glitches, less impact of what glitches there are).

Taken together, a 'compelling' case for acceptance of the view that McColo Corp's dissolution is the dominant explanation, as said. Such events are a rare opportunity to probe the shape of the spamiverse. The alternative explanations are less compelling.

But, as you suppose, concerning the 'resumption of business' within new hosts

We're seeing a slow recovery ... we fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season.

Such resilience! Like cockroaches only less likeable.

Something not specifically addressed is the impact of the botnets. Their 'market share' seemed very high for a while, recruiting certainly remains high but their influence has not been quite as great in more recent times going by the spam I receive. McColo Corp's demise might see their resurgence but, bottom line, the 'experts' seem (on casual observation) to be a little at variance in terms of their impact on the actual transmission of spam (which is presumably their main function). Quite possibly no-one is actually seeing the full picture - certainly there seem to be distinct streams or flavors of spam which, as a reluctant consumer, I have long fancied are differently represented in my different accounts.

[Lking]

I would say so, the evidence seems quite compelling - noting also that article contains the SC daily stats chart frozen to show the result which you were talking about in the first post (a useful datum).

The Washington Post article is dynamic. My original reference to WP was at 12:12 pm. The current WP article with SC stats was posted at 1pm. The original article did not have all the stats. As he said in the original article, he wanted to make sure he didn't get scooped on his story.

edited for clarity.

[Lking]

Washington Post has moved the story from their blog to the Business section. Web Host of Groups That Traffic spam Kicked Offline. Page D01 below the fold.

[kae]

The number of spam messages that I've received has dropped dramatically. I've been wondering why. Here are some of the links that I found.

CAUSE: News blog that references Brian Kreb’s article on security fixes.

Brian Krib: Brian Krebs on Computer Security blog on the disconnection of McColo and the resulting two thirds drop in spam messages.

Now the big question is: How long will it last?

[Farelf]

...Now the big question is: How long will it last?

Yes, that's the biggie. The spamstats - http://forum.spamcop.net/forums/index.php?...&page=stats - have been running at 50% of previous levels for the past 4 days to this point, which is longer already than I would have dared to hope but maybe spanning the weekend has something to do with that (surely we can count on at least a fifth day now).

[Farelf]

Krebs on the extent of the McColo web http://voices.washingtonpost.com/securityf...was_mccolo.html

[Wazoo]

Krebs on the extent of the McColo web http://voices.washingtonpost.com/securityf...was_mccolo.html

Issues with IE7 and the data provided on that page led me to add the mindmap file/data to the Wiki http://forum.spamcop.net/scwik/KrebsMcColomindmap ... the result still requires a 'current' install (and enabled) of Java to run the applet on the/your viewing system, but does remove the need to download and install the mindmap software/application.

[Farelf]

Issues with IE7 and the data provided on that page led me to add the mindmap file/data to the Wiki http://forum.spamcop.net/scwik/KrebsMcColomindmap ...

Hey, thanks Wazoo! I was just making do with viewing the dead graphic rendition (and imagining others would have to make do similarly) but the 'live' version is much more informative.

[Farelf]

My spam numbers are still down. Not quite convinced if/how it might be related but I notice the spamvertized web sites (or redirectors) of the stuff still coming in/getting through which were largely botnet hosted/redirected are now failing to resolve at all.

Hitherto most of the stuff like gtoq.vfsingle.cn would usually resolve out to a heap of disparate IP addresses through nslookup etc (though the SC parser would usually say "... discarded as fake" and "Cannot resolve ..." at first blush). Now nslookup is saying about most of them "Non-existent domain" - though it is usually possible to find Chinese nameservers.

Krebs mentions the association between McColo and botnet "command and control" but I never would have dreamed the things were that vulnerable (the whole point of distributed resources being that they are hard to locate and damage, but I guess the real story with botnets is more about free use of others' equipment and net resources). If it really is related to McColo's demise.

[Wazoo]

Krebs mentions the association between McColo and botnet "command and control" but I never would have dreamed the things were that vulnerable (the whole point of distributed resources being that they are hard to locate and damage, but I guess the real story with botnets is more about free use of others' equipment and net resources). If it really is related to McColo's demise.

Dodgy ISP briefly comes online, updates botnet

A bit of philosophy: McColo takedown: Vigilantism or Neighborhood Watch?

[Farelf]

Thanks again Wazoo.

Dodgy ISP briefly comes online, updates botnet

...Security analysts have predicted that spam levels will rise again as hackers who used McColo move their operations to other ISPs that are willing to protect spammers and other criminal enterprises, such as those who sells (sic) bogus security software or pharmaceuticals. ...

One that resolves:

bij.uyninth.cn -->pharmacyshops.com

H:\>nslookup pharmacyshops.org

...

Non-authoritative answer:

Name: pharmacyshops.org

Address: 92.53.107.8

H:\>whosip 92.53.107.8

WHOIS Source: RIPE NCC

IP Address: 92.53.107.8

Country: Russian Federation

Network Name: Mastercomm-NET-4

Owner Name: Dedicated Servers for rent block 4

From IP: 92.53.107.0

To IP: 92.53.107.255

Allocated: Yes

Contact Name: Mastercomm LLC Role Account

Address: 18, Lesnaya st. 403, 105886, Moscow, Russian Federation

Email: noc[at]mastercomm.info

Abuse Email:

Phone:

Fax:

Hmm ... I swear theplanet.com was recorded as providing nameservers there for a while (was going to say,"Why do they?") but now I see just 92.53.107.8 in that role too.

Oh yes, spamdom abhors a vacuum. But still way slower to come back than I would have dared to hope.

[Farelf]

...Hmm ... I swear theplanet.com was recorded as providing nameservers there for a while (was going to say,"Why do they?") but now I see just 92.53.107.8 in that role too...

Dang, theplanet is there

H:\>nslookup -querytype=ns pharmacyshops.com

...

Non-authoritative answer:

pharmacyshops.com nameserver = ns1.theplanet.com

pharmacyshops.com nameserver = ns2.theplanet.com

ns1.theplanet.com internet address = 70.86.61.133

ns1.theplanet.com internet address = 70.86.61.134

ns1.theplanet.com internet address = 70.87.7.70

ns1.theplanet.com internet address = 70.87.7.71

ns2.theplanet.com internet address = 70.86.61.135

ns2.theplanet.com internet address = 70.86.61.136

ns2.theplanet.com internet address = 70.87.7.72

ns2.theplanet.com internet address = 70.87.7.73

H:\>nslookup pharmacyshops.com

...

Non-authoritative answer:

Name: pharmacyshops.com

Address: 67.18.136.98

H:\>whosip 67.18.136.98

WHOIS Source: ARIN

IP Address: 67.18.136.98

Country: USA - Texas

Network Name: NETBLK-THEPLANET-BLK-11

Owner Name: ThePlanet.com Internet Services, Inc.

From IP: 67.18.0.0

To IP: 67.19.255.255

Allocated: Yes

Contact Name: ThePlanet.com Internet Services, Inc.

Address: 315 Capitol, Suite 205, Houston

Email: admins[at]theplanet.com

Abuse Email: abuse[at]theplanet.com

Phone: +1-281-714-3560

Fax:

H:\>

Thought they'd decided to be whitehat?

[Lking]

Boy I lost my bet on how long the drop in spam would last!

Joke for today comes from our friends at the Washington Post

In an alert sent out Wednesday morning, e-mail security firm IronPort said:

"In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening."

Spamcop.net's graphic shows a similar decline, from about 40 spam e-mails per second to around ten per second -- if I'm reading that graphic correctly.

Well that confirms it!

[Farelf]

Latest? from WP Answers Trickle Out as Spammer Networks Remain Compromised - thanks to grc posters (YoKenny, I think, for this one).

Moderator Edit: I had to edit the link to Answers Trickle Out as Spammer Networks Remain Compromised in order to actually 'get there' ...????

[Geek]

Botnets are in overdrive I have noticed. Forum comment spamming has gone up so much that I can't keep up this last week. Mostly through US based socks proxies too and not direct posting from the compromised machines, as is the norm from Asia/Russia.

[showker]

See: http://www.knujon.com/news -- two major spam hosts closed down. Won't last long, but we're running about 30% of our normal flow. Also see http://www.hostexploit.com/ for their latest take-down report.

Enjoy it while it lasts.

ICANN is rewriting their AAC regulating registrars -- everyone is urged to write them with this info:

http://www.safenetting.com/2008/11/18/you-can-help-curb-online-crime/

[Miss Betsy]

Thanks for the information! I have submitted a comment.

Miss Betsy

[Farelf]

No doubt it is temporary (but dare to hope otherwise) - I note the redirection botnet-hosted sites like rlka.vhweaker.cn are really struggling to resolve today ('Canadian' pharmacy, counterfeit watches, etc.) and they are also "not whoisable". Practically all the spam I am seeing just now is more than usually pointless - the payloads are inoperable links. Haven't checked any of the the sites they are meant to/used to redirect to.

[Geek]

Looks like the botnets are rebuilt enough to be functional ... I just received more spam in the last 8 hours than in the past two weeks combined and it's just continuously pouring in right now!!!!!

[Farelf]

...Looks like the botnets are rebuilt enough to be functional ... I just received more spam in the last 8 hours than in the past two weeks combined and it's just continuously pouring in right now!!!!!

Bad news - those not yet affected are just in the eye of the storm then.

Still seeing DNS problems in reaching the redirector links though. For those 1/12,000,000 fools clicking, they're going nowhere, going by the stuff that gets through to me.