75 Percent of All Spam Globally? On Our Backbones? Holy Cow!
There is damning evidence that this activity has been going on there for way too long, and plenty of people in the security community have gone out of their way to raise awareness about this network, but nobody seems to care.”
– Paul Ferguson, a threat researcher with computer security firm Trend Micro
According to security experts, Web-hosting outfit McColo is responsible for enabling the broadcast of more than 75 percent of all spam globally. Its client list is a rogues gallery of bad-guy syndicates involved in everything from botnets to counterfeit pharmaceuticals and kiddie porn. So how is it that MoColo’s ISPs, Hurricane Electric and Global Crossing, were unaware of that until notified by a Washington Post reporter?
I’m not sure there’s a good answer to that question, though it would certainly be interesting to hear one. Almost as interesting as hearing the two ISPs explain away their network traffic from known criminal botnets Mega-D, Srizbi, Pushdo, Rustock and Warezov, all of which have their master servers hosted at McColo.
“We shut them down,” Benny Ng, director of marketing for Hurricane Electric, told the Post. “We looked into it a bit, saw the size and scope of the problem you were reporting and said ‘Holy cow!’ Within the hour we had terminated all of our connections to them.”
“Holy cow?” More like, “Holy cow, someone finally noticed we’re the preferred ISP of a massive criminal syndicate! What do we do?!?”
“ISPs can’t take the ‘I see nothing, I hear nothing’ approach to this content,” said Mark Rasch, a former cyber crime prosecutor for the Justice Department. “It’s a little bit like a landlord who owns a building and sees people coming in and out of the apartment complex constantly at all hours and not suspecting their may be drug activity going on. There are certain things that raise red flags, such as the nature, volume, source and destination of the Internet traffic, that can and should raise red flags. And to have so many third parties looking at the volume and content from this Internet provider saying ‘This is outrageous,’ clearly the people doing the hosting should know that as well.”
Comments
Yes, indeed. See http://www.spamcop.net/spamgraph.shtml?spamweek
Posted by Dave Barnes at November 12th, 2008 at 12:55 pmSo we want ISPs to look for certain kinds of traffic, content and patterns of net behavior and shut those down, but we also want net neutrality and privacy for net usage.
On the net neutrality side I have seen assertions that ISPs should not be able to screen by content or by protocol. If that were actually law, is there a way that ISPs could also monitor and shut down this kind of spammer syndicate hosting operation?
Posted by Kevin McConnaughey at November 12th, 2008 at 3:21 pmWhat if those botnets go rogue? They have no controlling source? Maybe they have a “default” action if they cannot “phone home” for x days?
Read more: Rogue Botnets
Posted by Frank Paolino at November 13th, 2008 at 6:55 am