CBL’s take on McColo being taken offline


It's been over a week since McColo's operations had its plug pulled, and our spam volumes are still way down (I still haven't figured out a way to take credit for that).  On average, it is down by around 40-50%.  The last couple of days have seen some slight upticks but not a lot.

One of the stats that has surprised me was our inbound spam/non-spam traffic.  It's generally about 65/35 spam/non-spam.  However, on November 12, for the first time ever, the non-spam part ticked above 50% for the first time ever (ie, since I've been keeping track of the stats).  Our mail servers were actually being used mostly for legitimate mail.  I think that's a Christmas miracle.

Anyhow, the CBL has posted an article about the McColo take down.  In case you don't know, CBL stands for Composite Blacklist and they collect information about zombies around the Internet that are sending spam. They first posted it this past Monday, on November 17.  Here are some excerpts that I think are worth quoting:

On the eve of the McColo disconnection, "named BOT" detections represented about half of the total IP addresses listed by the CBL. At that time, we measured that the named BOTs were responsible for about 68% of all of the spam the CBL detects.

The "named BOTs" are the BOTNETs that most researchers talk about, such as Srizbi, Cutwail/Pushdo, Ozdok/Mega-D, Bobax/Kraken, Rustock, Asprox, Storm, Warezov and others. Srizbi was by far the largest, running around 35% of all spam that's caught in our spam traps. Cutwail second (at around 18%), most of the others in the 5-10% range.

The following major BOTNETs showed immediate effects when McColo was disconnected: Srizbi, Rustock, Asprox, Bobax, and Ozdok/Mega-D by a sudden precipitous drop in CBL detections.

Ozdok/Mega-D went virtually silent within an hour. Bobax had a big chunk (about half) taken out of it within a few hours. Srizbi, Rustock and Asprox dropped off by more than 95% of normal levels within hours. Eg: Srizbi dropped from 170,000-190,000 detections per day to about 3500. Cutwail/Pushdo lost about 15% over the first 24 hours of McColo outage.

This represents an incredible drop in traffic.  McColo really was responsible for sending out piles and piles of spam.  It makes you wonder why these guys weren't cut off in the first place.

Far be it from me to spread rumour but a colleague of mine asked and answered that same question.  This is completely unsubstantiated and I haven't Google'd or Live Searched this, but I guess the owner of McColo had ties to Russian organized crime.  He was some young kid (late teens or early twenties) who died in a car crash in Moscow either this year or last year.  If, indeed, parts of this story are true, then I guess it would be difficult for US law enforcement officials to track down these guys in a foreign country.  I suppose it would be up to Interpol to do that.

Yet ironically, it was not law enforcement that took these guys down, it was a policy decision by the people who owned the network hardware.  Sometimes all it takes is the political will to shut down a paying (?) customer.

BTW, anyone know if the story I related above is true?

Skip to main content