Lking Posted November 12, 2008 Share Posted November 12, 2008 Just noticed the drop in message count. Did spammers take Veterans day off? Nothing sinister I'm sure. Like the sum of other unrelated events, just interesting. Link to comment Share on other sites More sharing options...
Lking Posted November 12, 2008 Author Share Posted November 12, 2008 I wonder if there is a correlation with this Washington Post article? Nature hates a vacuum so I'm sure someone will file the void. Link to comment Share on other sites More sharing options...
dra007 Posted November 12, 2008 Share Posted November 12, 2008 same here, I am sure its just a fluke as much as I wish this was permanent. Link to comment Share on other sites More sharing options...
Geek Posted November 12, 2008 Share Posted November 12, 2008 You fellas are lucky! No drop in spam here and we also had our worst day for distributed crackbot attacks Link to comment Share on other sites More sharing options...
Lking Posted November 12, 2008 Author Share Posted November 12, 2008 I wasn't talking about my spam level. I was looking at the SpamCop Statistics graphs at the top of the page. If you look at the last 24 hrs of SC data, the maximum number of messages/sec is less that the daily minimum for the last week. Like you I haven't seen a 50-70% drop. Link to comment Share on other sites More sharing options...
Farelf Posted November 13, 2008 Share Posted November 13, 2008 ...I wonder if there is a correlation with this Washington Post article?...I would say so, the evidence seems quite compelling - noting also that article contains the SC daily stats chart frozen to show the result which you were talking about in the first post (a useful datum). A drop can be just/also the reporters taking a holiday but the IronPort commentary quoted in Brian Krebs' WP article indicates a real drop, to the extent that their monitoring - and the SenderBase query correlate - are representative. Then there's the 'security experts' who are said to sheet home reponsibiliy for 75% of the world's spam to the now unplugged McColo Corp. My own spam received on one account increased (it is minimal anyway) but on another decreased (by 75% to 25% - though such a result is not actually statistically significant on the moderate numbers involved). Instead of being an actual reflection of reduced spam, the reduced numbers to that account could be all or some of random fluctuation or to do with ISP filtering due to unaccounted (non-random) factors - except there is that alternative explanation that the amount sent actually declined, as documented, so that explanation should be accepted by the rule of parsimony. Reinforcing such a circumstance, there is possibly a flow-on to ISP filtering (where it exists) when traffic is reduced (increased efficiency due to less stress, maybe fewer glitches, less impact of what glitches there are). Taken together, a 'compelling' case for acceptance of the view that McColo Corp's dissolution is the dominant explanation, as said. Such events are a rare opportunity to probe the shape of the spamiverse. The alternative explanations are less compelling. But, as you suppose, concerning the 'resumption of business' within new hosts We're seeing a slow recovery ... we fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season.Such resilience! Like cockroaches only less likeable. Something not specifically addressed is the impact of the botnets. Their 'market share' seemed very high for a while, recruiting certainly remains high but their influence has not been quite as great in more recent times going by the spam I receive. McColo Corp's demise might see their resurgence but, bottom line, the 'experts' seem (on casual observation) to be a little at variance in terms of their impact on the actual transmission of spam (which is presumably their main function). Quite possibly no-one is actually seeing the full picture - certainly there seem to be distinct streams or flavors of spam which, as a reluctant consumer, I have long fancied are differently represented in my different accounts. Link to comment Share on other sites More sharing options...
Lking Posted November 13, 2008 Author Share Posted November 13, 2008 I would say so, the evidence seems quite compelling - noting also that article contains the SC daily stats chart frozen to show the result which you were talking about in the first post (a useful datum). The Washington Post article is dynamic. My original reference to WP was at 12:12 pm. The current WP article with SC stats was posted at 1pm. The original article did not have all the stats. As he said in the original article, he wanted to make sure he didn't get scooped on his story. edited for clarity. Link to comment Share on other sites More sharing options...
Lking Posted November 13, 2008 Author Share Posted November 13, 2008 Washington Post has moved the story from their blog to the Business section. Web Host of Groups That Traffic spam Kicked Offline. Page D01 below the fold. Link to comment Share on other sites More sharing options...
kae Posted November 15, 2008 Share Posted November 15, 2008 The number of spam messages that I've received has dropped dramatically. I've been wondering why. Here are some of the links that I found. CAUSE: News blog that references Brian Kreb’s article on security fixes. Brian Krib: Brian Krebs on Computer Security blog on the disconnection of McColo and the resulting two thirds drop in spam messages. Now the big question is: How long will it last? Link to comment Share on other sites More sharing options...
Farelf Posted November 16, 2008 Share Posted November 16, 2008 ...Now the big question is: How long will it last?Yes, that's the biggie. The spamstats - http://forum.spamcop.net/forums/index.php?...&page=stats - have been running at 50% of previous levels for the past 4 days to this point, which is longer already than I would have dared to hope but maybe spanning the weekend has something to do with that (surely we can count on at least a fifth day now). Link to comment Share on other sites More sharing options...
Farelf Posted November 17, 2008 Share Posted November 17, 2008 Krebs on the extent of the McColo web http://voices.washingtonpost.com/securityf...was_mccolo.html Link to comment Share on other sites More sharing options...
Wazoo Posted November 17, 2008 Share Posted November 17, 2008 Krebs on the extent of the McColo web http://voices.washingtonpost.com/securityf...was_mccolo.html Issues with IE7 and the data provided on that page led me to add the mindmap file/data to the Wiki http://forum.spamcop.net/scwik/KrebsMcColomindmap ... the result still requires a 'current' install (and enabled) of Java to run the applet on the/your viewing system, but does remove the need to download and install the mindmap software/application. Link to comment Share on other sites More sharing options...
Farelf Posted November 17, 2008 Share Posted November 17, 2008 Issues with IE7 and the data provided on that page led me to add the mindmap file/data to the Wiki http://forum.spamcop.net/scwik/KrebsMcColomindmap ...Hey, thanks Wazoo! I was just making do with viewing the dead graphic rendition (and imagining others would have to make do similarly) but the 'live' version is much more informative. Link to comment Share on other sites More sharing options...
Farelf Posted November 18, 2008 Share Posted November 18, 2008 My spam numbers are still down. Not quite convinced if/how it might be related but I notice the spamvertized web sites (or redirectors) of the stuff still coming in/getting through which were largely botnet hosted/redirected are now failing to resolve at all. Hitherto most of the stuff like gtoq.vfsingle.cn would usually resolve out to a heap of disparate IP addresses through nslookup etc (though the SC parser would usually say "... discarded as fake" and "Cannot resolve ..." at first blush). Now nslookup is saying about most of them "Non-existent domain" - though it is usually possible to find Chinese nameservers. Krebs mentions the association between McColo and botnet "command and control" but I never would have dreamed the things were that vulnerable (the whole point of distributed resources being that they are hard to locate and damage, but I guess the real story with botnets is more about free use of others' equipment and net resources). If it really is related to McColo's demise. Link to comment Share on other sites More sharing options...
Wazoo Posted November 18, 2008 Share Posted November 18, 2008 Krebs mentions the association between McColo and botnet "command and control" but I never would have dreamed the things were that vulnerable (the whole point of distributed resources being that they are hard to locate and damage, but I guess the real story with botnets is more about free use of others' equipment and net resources). If it really is related to McColo's demise. Dodgy ISP briefly comes online, updates botnet A bit of philosophy: McColo takedown: Vigilantism or Neighborhood Watch? Link to comment Share on other sites More sharing options...
Farelf Posted November 18, 2008 Share Posted November 18, 2008 Thanks again Wazoo. Dodgy ISP briefly comes online, updates botnet ...Security analysts have predicted that spam levels will rise again as hackers who used McColo move their operations to other ISPs that are willing to protect spammers and other criminal enterprises, such as those who sells (sic) bogus security software or pharmaceuticals. ...One that resolves: bij.uyninth.cn -->pharmacyshops.com H:\>nslookup pharmacyshops.org ... Non-authoritative answer: Name: pharmacyshops.org Address: 92.53.107.8 H:\>whosip 92.53.107.8 WHOIS Source: RIPE NCC IP Address: 92.53.107.8 Country: Russian Federation Network Name: Mastercomm-NET-4 Owner Name: Dedicated Servers for rent block 4 From IP: 92.53.107.0 To IP: 92.53.107.255 Allocated: Yes Contact Name: Mastercomm LLC Role Account Address: 18, Lesnaya st. 403, 105886, Moscow, Russian Federation Email: noc[at]mastercomm.info Abuse Email: Phone: Fax: Hmm ... I swear theplanet.com was recorded as providing nameservers there for a while (was going to say,"Why do they?") but now I see just 92.53.107.8 in that role too. Oh yes, spamdom abhors a vacuum. But still way slower to come back than I would have dared to hope. Link to comment Share on other sites More sharing options...
Farelf Posted November 18, 2008 Share Posted November 18, 2008 ...Hmm ... I swear theplanet.com was recorded as providing nameservers there for a while (was going to say,"Why do they?") but now I see just 92.53.107.8 in that role too...Dang, theplanet is there H:\>nslookup -querytype=ns pharmacyshops.com ... Non-authoritative answer: pharmacyshops.com nameserver = ns1.theplanet.com pharmacyshops.com nameserver = ns2.theplanet.com ns1.theplanet.com internet address = 70.86.61.133 ns1.theplanet.com internet address = 70.86.61.134 ns1.theplanet.com internet address = 70.87.7.70 ns1.theplanet.com internet address = 70.87.7.71 ns2.theplanet.com internet address = 70.86.61.135 ns2.theplanet.com internet address = 70.86.61.136 ns2.theplanet.com internet address = 70.87.7.72 ns2.theplanet.com internet address = 70.87.7.73 H:\>nslookup pharmacyshops.com ... Non-authoritative answer: Name: pharmacyshops.com Address: 67.18.136.98 H:\>whosip 67.18.136.98 WHOIS Source: ARIN IP Address: 67.18.136.98 Country: USA - Texas Network Name: NETBLK-THEPLANET-BLK-11 Owner Name: ThePlanet.com Internet Services, Inc. From IP: 67.18.0.0 To IP: 67.19.255.255 Allocated: Yes Contact Name: ThePlanet.com Internet Services, Inc. Address: 315 Capitol, Suite 205, Houston Email: admins[at]theplanet.com Abuse Email: abuse[at]theplanet.com Phone: +1-281-714-3560 Fax: H:\> Thought they'd decided to be whitehat? Link to comment Share on other sites More sharing options...
Lking Posted November 18, 2008 Author Share Posted November 18, 2008 Boy I lost my bet on how long the drop in spam would last! Joke for today comes from our friends at the Washington Post In an alert sent out Wednesday morning, e-mail security firm IronPort said: "In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening." Spamcop.net's graphic shows a similar decline, from about 40 spam e-mails per second to around ten per second -- if I'm reading that graphic correctly. Well that confirms it! Link to comment Share on other sites More sharing options...
Farelf Posted November 19, 2008 Share Posted November 19, 2008 Latest? from WP Answers Trickle Out as Spammer Networks Remain Compromised - thanks to grc posters (YoKenny, I think, for this one). Moderator Edit: I had to edit the link to Answers Trickle Out as Spammer Networks Remain Compromised in order to actually 'get there' ...???? Link to comment Share on other sites More sharing options...
Geek Posted November 19, 2008 Share Posted November 19, 2008 Botnets are in overdrive I have noticed. Forum comment spamming has gone up so much that I can't keep up this last week. Mostly through US based socks proxies too and not direct posting from the compromised machines, as is the norm from Asia/Russia. Link to comment Share on other sites More sharing options...
showker Posted November 21, 2008 Share Posted November 21, 2008 See: http://www.knujon.com/news -- two major spam hosts closed down. Won't last long, but we're running about 30% of our normal flow. Also see http://www.hostexploit.com/ for their latest take-down report. Enjoy it while it lasts. ICANN is rewriting their AAC regulating registrars -- everyone is urged to write them with this info: http://www.safenetting.com/2008/11/18/you-can-help-curb-online-crime/ Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 22, 2008 Share Posted November 22, 2008 Thanks for the information! I have submitted a comment. Miss Betsy Link to comment Share on other sites More sharing options...
Farelf Posted November 24, 2008 Share Posted November 24, 2008 No doubt it is temporary (but dare to hope otherwise) - I note the redirection botnet-hosted sites like rlka.vhweaker.cn are really struggling to resolve today ('Canadian' pharmacy, counterfeit watches, etc.) and they are also "not whoisable". Practically all the spam I am seeing just now is more than usually pointless - the payloads are inoperable links. Haven't checked any of the the sites they are meant to/used to redirect to. Link to comment Share on other sites More sharing options...
Geek Posted November 24, 2008 Share Posted November 24, 2008 Looks like the botnets are rebuilt enough to be functional ... I just received more spam in the last 8 hours than in the past two weeks combined and it's just continuously pouring in right now!!!!! Link to comment Share on other sites More sharing options...
Farelf Posted November 24, 2008 Share Posted November 24, 2008 ...Looks like the botnets are rebuilt enough to be functional ... I just received more spam in the last 8 hours than in the past two weeks combined and it's just continuously pouring in right now!!!!! Bad news - those not yet affected are just in the eye of the storm then. Still seeing DNS problems in reaching the redirector links though. For those 1/12,000,000 fools clicking, they're going nowhere, going by the stuff that gets through to me. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.