Something wonderful happened this week: Worldwide, the amount of spam email dropped by roughly two-thirds. How did this happen? A single hosting provider, McColo, was disconnected from the Internet.
Think about that for a second: One hosting company was apparently responsible for up to 66 percent of the worldwide spam generated per day. IronPort, a Cisco subsidiary, estimates that there are about 190 billion spam messages sent per day.
This volume of spam would be impossible, of course, if machines hosted at McColo were actually sending all the spam. Many aspects of modern antispam filtering take into account the origin of the message, including the sender IP address, the sender’s reputation for sending spam, the rate of arrival of messages from the address, and so on. That process makes it more difficult for spammers to operate from a single block of IP addresses.
If you’re familiar with the Folding@home or SETI@home, you already understand the solution spammers have used: Get lots of individual computers to do the work. Spammers have turned to using individual computers—mostly Windows machines—that have been compromised by malware that allows them to be remotely controlled. Groups of these machines, known as botnets, offer a great way to send spam because each individual machine can send messages to various destinations. If you get enough machines in a botnet, you can do all sorts of bad things—apparently including flooding the entire Internet with spam.
McColo’s Internet connection was killed in large measure because of the work of Washington Post blogger Brian Krebs. Krebs worked to gather information about McColo’s operations, then passed that evidence to the upstream Internet providers that connected McColo to the broader Internet. Shortly after Krebs’ initial contact, McColo went dark, resulting in a huge drop in worldwide spam levels.
This is of course good news, but the nature of the modern spam ecosystem means that this drop will probably be temporary. A great deal of spam is sent under the aegis of criminal groups that have access to enough money to quickly reconstitute their operations with another compliant hosting provider. Even a temporary respite is still welcome, though. In the longer term, the IT industry needs to continue to identify effective ways to fight botnet-based attacks, including distributed denial-of-service attacks and spam floods, but that’s a much harder problem to solve.