Slashdot Mirror
Washington Post Blog Shuts Down 75% of Online Spam
ESCquire writes "Apparently, the Washington Post Blog 'Security Fix' managed to shut down McColo, a US-based hosting provider facilitating more than 75 percent of global spam. " Now how long before the void is filled by another ISP?
The badness attributed to McColo was not limited to spam. It included child pornography sites; sites that accepted payment for spam and child porn; rogue anti-virus Web sites; and a huge malicious software operation that apparently stole banking and credit card data from more than a half million people worldwide.
And they operated for how long before they were shut down ... as a United States based hosting provider?
... I'm all for user privacy policy from an ISP but obviously these people are criminals.
If they have evidence of these things, I certainly hope that The Washington Post turns any evidence over to the FBI or at the least the local law enforcement where McColo is operating. And I hope a warrant is obtained through the appropriate channels to collect evidence from Hurricane Electric & Global Crossing
My work here is dung.
Just give us an IP address linked in the summary. That's all we ned.
First they shut down McCain, now McColo. Next up: McDonalds?
Do you even lift?
These aren't the 'roids you're looking for.
http://craphound.com/spamsolutions.txt
My turnips listen for the soft cry of your love
the spam will flow. It's the old "balloon dog" effect. Squeeze it in one place and it balloons in another. The ONLY way to attack this problem is to go after the advertisers who are willing to use spam as a medium to sell product.
I had ONE spam message last night. I average probably 20 a night.
Sometimes it's best to just let stupid people be stupid.
Well, I guess now my Nigerian prince will never come.
SJW: Someone who has run out of real oppression, and has to fake it.
as the title says. if it gets them "off the air" is this a public service or a criminal act (or both)?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
The comments on the Washington Post site are pretty worthless, but this one was particularly good:
"Brian - Well done, and well reported. For the user who asked about reporting news versus creating news, you misunderstand Krebs's reporting. Like most good reporters who write big stories, he either got tips or analyzed data regarding spam and cyber-security. It probably was a combination of both. If he determined from his research, reporting and analysis that this data was coming from one place, he did not create a story by informing the spam host's business partners. Rather, he sought comment from them about this site, and they took action. What Krebs reported is not a big a story as Watergate, but what do you think Woodward & Bernstein did? Wait for a press release? A regulatory filing? No, they took one news event, worked backwards from it, and determined that something big was going on -- just like a spammer. Then they wrote about it, just like Krebs did. When Henry Blodget on Silicon Alley Insider wrote that The New York Times Co faces several possibilities for survival, he did not tap into a planned news event. He analyzed a balance sheet and made conclusions. Much of the news that comes out is because beat reporters see connections and draw conclusions that are not opinion, but reasoned and accurate viewpoints based on evidence out there that resists coalescing into a larger news event because most of us don't get it. That's why we have journalists, and this is a great example of that. And now for the full disclosure: I'm Robert MacMillan. I am a reporter at Reuters who covers the journalism business, and I worked at washingtonpost.com for many years with Brian. I sat right across from him so I know what he eats for lunch. Posted by: easymac | November 11, 2008 9:45 PM "
When it comes to these sorts of things, oft times law enforcement and intelligence agencies who know about a source of major operations DON"T shut them down, so as to build a case against the bigger players or to maintain the ability to track what is going on. Given that this is a US-based corporation with US-based servers, I wonder if this shutdown has seriously compromised on-going monitoring and criminal cases. While this has almost certainly seriously disrupted operations of the various bad guys for now, I would give it only a few days before they're back online based at overseas locations where they're less easily reachable. Except for some script kiddies, the operations are all sophisticated enough to use standard techniques such as multiple hardcoded fallback IPs. DNS redirection, and using fake BGP announcements to hijack IP blocks to get back online.
--Paul
This is their AUP from 2005 (Mccolo.com)
Acceptable Use Policy (AUP)
All Maxis' Commerce colocation or dedicated server customers are bound by the following Acceptable Use Policy. This document may be updated from time to time. Please consult this site periodically for the most recent revision of this document.
No Maxis' Commerce customer shall:
Do anything illegal or anything that adversely affects Maxis' Commerce legal interests. The following list is non-exclusive, and should not be considered license to commit other illegal activities not specified below. All illegal activity is prohibited, and Maxis Commerce will cooperate fully with any law enforcement officials and/or agencies investigating and/or prosecuting such activities.
Cracking/Hacking - attempts to access accounts or systems other than the userâ(TM)s own accounts or systems or an account or system that the user has been explicitly authorized to access is illegal under federal and state law.
Child pornography - as defined by U.S. law. This is strictly prohibited and dealt with quickly and harshly.
Interstate gambling - because Internet traffic generally ignores state and country boundaries, any Internet based gambling site is restricted by Federal Inter-state gambling regulations.
Pyramid schemes or fraud - are illegal under a number of Federal, State and Local laws.
Theft of services - attempts to utilize services that are not contracted for is considered theft and will be dealt with as such.
Harassment - use of Maxis' Commerce network to harass or threaten (in the legal sense of those terms) any other person is prohibited.
Please consult an attorney if you are unsure of the legal status of your activities.
Do anything that threatens the integrity of Maxis' Commerce network or the utilization there of by other persons.
Denial of Service (DOS) attacks - no customer will commit a DOS attack against any Maxis Commerce customerâ(TM)s host, or any other host on the Internet. Similarly, no Maxis Commerce customer will willfully or negligently allow incitement of others to attack any host on Maxis' Commerce network, or any other host on the Internet.
Blacklists - No customer shall do anything that could get any portion of Maxis' Commerce IP space (or address space announced by Maxis Commerce on behalf of Customer) put on blacklists such the RBL (Realtime Black List) as maintained by MAPS (http://www.mail-abuse.com) or other similar organizations, or perform activities that would cause portions of the Internet to block mail or refuse to route traffic to any portion of Maxis' Commerce IP space (or address space announced by Maxis Commerce on behalf of Customer).
Perform actions that cause unusual load on Maxis' Commerce servers (for example, mail servers, web servers, usenet servers, name servers, etc.), that cause slowness or denial of service to other Maxis Commerce customers.
Do anything that threatens the Internet or any other network.
No customer shall take actions that cause any portion of the Internet, or the Internet as a whole, to become unusable to any other portion of the Internet, or the Internet as a whole.
No customer shall take actions that degrade the usefulness of the Internet, or any portion of the Internet, either through network degradation, flooding of usenet or email or so on.
Spam - No customer shall send unsolicited commercial email, unsolicited mass mailings, spam or flood usenet newsgroups, or anything of that sort. If you have questions about what is allowed and what is not, please email abuse@mccolo.com for clarification.
No spam may originate from Maxis Commerce IP space.
No spam may advertise sites or services located on Maxis Commerce IP space (even if the spam originates elsewhere).
No Maxis Commerce customer shall use third party mail servers to relay spam. This is considered a DOS attack on the third party and will be treated as such.
No customer shall participate in pyramid schemes
----- You know you have ego issues when you register a domain in your name.
MY SITE IS DOWN!! WTF !
Eye for an eye and half of the world will have just one eye!
Also FTA:
'Two hours later, I heard from Benny Ng, director of marketing for Hurricane Electric, the Fremont, Calif., company that was the other major Internet provider for McColo.
Hurricane Electric took a much stronger public stance: "We shut them down," Ng said.
"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."'
So, after much hand-waving here, and elsewhere, about what info the Gov. and your ISP may be collecting about you, they could not spot this, a major spam, child-porn and theft site?
Maybe the honest version would be;
"We were making shitloads of money out of selling bandwidth to these bastards, 'no questions asked', but now you've blown the whistle on them I guess we've gotta look responsible."
This couldn't be by volume. Given the amount of spam that everyone receives every day, I don't think a single ISP could possibly generate 75% of it. It would take multiple gigabit connections and I'm sure someone would have already noticed that kind of traffic coming from one place.
I have come to the conclusion that it must be impossible to engage in any criminal activity which does not somehow involve child porn, as it seems to me that all stories of illicit behavior include accusations of trafficking in child porn.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
I use a procmail filter that sends mail from known addresses into my mailbox, and dumps everything else into a "garbage" file that I check every morning before deleting it, (on the off change that a friend or business has sent mail from a new address). This morning for the first time in *years*, the file was empty.
...once the folks who sell spam and porn find a hosting provider who turns a blind eye, they tend to stick with it and consolidate their operations. Paying attention to Spamhaus and the more reliable botnet trackers tells me where these operations are located, and helps me write good gateway filters for my employer, my house, and my friends. Cutting off internet access tends only to disperse the nere-do-wells rather than stop them, and I have to start over again tracking and writing new filters. In other words, I like to know where these guys hang out so I can avoid them, the same way I avoid the riff-raff in the physical city where I live.
I think its great that someone is doing something about the problem, but I don't think it should be the ISP. We already have laws against spam and certain porn, and it should be up to the government to enforce those laws. Vigilantism is never the answer.
The tried-and-true way works: if you have evidence, take it to the police. If the police won't do anything, take it to the press. Sure it takes a little longer, but it keeps - in this case your internet connection - safe from the Random Crusader. And the criminals may actually get arrested.
So, how much spam does everyone get each day on average?
Well, according to my mail logs, my mail server that currently provides mail service for myself in the past 8 hours:
Has blocked 2879 messages, based simply on the IP address, using RBLs.
Has blocked 1013 messages, based on some early tests in mail delivery.
Has passed 176 messages on for further filtering, with my address. I haven't checked how many were to my wife or to invalid addresses. Typically that's several hundred an hour.
The next level of filtering:
Dropped 18 messages completely.
Filed 127 messages in the "probable spam" box, where they will be deleted within a week.
Delivered 31 messages to my home server.
Of those messages, about half of those were filed as "spam" by Apple's Mail.app.
That's pretty low by my standards. Good work.
For all those who don't believe that a single ISP can be responsible for this amount of spam: take a look at the munin graph from our spam scanner. When I looked at it in the morning I went "huh, did I misconfigure something on our mail server?", didn't find anything, went to Google News and submitted to /. shortly after that.
For erections lasting more than 4 months, see a mason.
This shows a dramatic reduction in spam as of yesterday 4PM EST.
Will be interesting to watch it climb back up....
A fool throws a stone into a well and a thousand sages can not remove it.
http://www.spamcop.net/spamgraph.shtml?spamweek
Look at Tuesday's sharp drop off coinciding with the shut down.
If I can not smoke in heaven, then I shall not go. -- Mark Twain
From their press release: "In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening."
...because you never know who you're dealing with.
Pedophiles tend to be gullible and desperate
citation needed
c++;
Welcome to Casual Conversation. Many of you may already know this, but Casual Conversation is not Wikipedia. Wikipedia rules such as requiring citations and not allowing original research do not, in fact, apply here. This may be confusing to first-time users, but we hope you will soon adapt and find out the joys of Casual Conversation.
Enjoy your stay!
Sounds about right.
I spent significant time yesterday, concerned that recent firewall and DNS changes had had unintended side effects: my inbound mail volume dropped by about 70% around 16:30 eastern.
Thank God the washingtonpost.com guys posted to netnews (almost) right away.
Do daemons dream of electric sleep()?
Now it's time for some federal law enforcement action. Over at McColo, there will be records that indicate who's behind the spamming and botnet operations. They'll know who paid for servers. There will be phone records showing who made support phone calls to McColo.
McColo is in San Jose, and the San Francisco office of the FBI, which covers Silicon Valley, has a Cyber Intrusion Squad. It's their job to start digging and find out who's behind the spam operations.
Even if the people behind the spamming tried to stay anonymous to McColo, the odds are that they slipped up somewhere.