McColo Briefly Returns, Hands Off Botnet Control

A week ago we discussed the takedown of McColo (and the morality of that action). McColo was reportedly the source of anywhere from 50% to 75% of the world's spam. On Saturday the malware network briefly returned to life in order to hand over command and control channels to a Russian network. "The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to ... Trend Micro. The brief resurrection allowed miscreants who rely on McColo to update a portion of the massive botnets they use to push spam and malware. Researchers from FireEye saw PCs infected by the Rustock botnet being updated so they'd report to a new server located at abilena.podolsk-mo.ru for instructions. That means the sharp drop in spam levels reported immediately after McColo's demise isn't likely to last."

How to stop internet crime

We have a global network of humanity, yet our government structures are still based on ancient geographical distinctions. In order to govern the net (and to coin another useless buzzword) we need Government 2.0.

Re:How to stop internet crime

What you're advocating is direct democracy. Direct democracy has never and will never work. Don't you people ever learn?

Re:How to stop internet crime

How many times has web-based direct democracy failed?

On the contrary, aren't open source projects an example of the success of leaderless democracy?

Re:How to stop internet crime

[Iamthecheese]

Thats right! Direct democracy can never work. Which is what made Switzerland such a hellhole

Re:How to stop internet crime

[Seraphim1982]

Your link doesn't mention anything about Switzerland being a direct democracy. So what exactly was your point?

Re:How to stop internet crime

[Iamthecheese]

oh? Well how about this one?

Re:How to stop internet crime

[the_womble]

Ancient Athens was a direct democracy as well, and a society that contributed a huge amount culturally. Although they did not give women the vote - or slaves, or people of foreign ancestry.

I rather like the idea of picking people for public office by lot. It eliminates the selection bias towards self-important interfering busy-bodies.

Re:How to stop internet crime

[Iamthecheese]

I am a manager you insensitive clod!

Re:How to stop internet crime

Your first reference didn't didn't even hint at direct democracy in Switzerland. The second one claims it, and then proceeds to detail what is actually NOT a direct democracy by any reasonable definition.

There are ELEMENTS of direct democracy (just as there are in many of the states of the U.S., where binding initiative petitions are provided for), but basically Switzerland seems to be exactly what your first reference states: a representative democracy basically in the form of a federal republic.

It seems to me that these elements give it a critical superiority to the U.S. federal government, but in order to be a true direct democracy, ALL legislation and constitutional adjustments would have to be purely via direct popular vote, or at the very least ORIGINATING from popular initiative.

And no, I agree with the consensus of the U.S. Constitution framers that a true direct democracy would be unworkable and/or undesirable. Switzerland sounds like an excellent combination of elements of direct democracy with a core that is basically a representative democracy.

Re:How to stop internet crime

[Iamthecheese]

The first link was intended to convey Switzerland's status as a very nice place to live. I thought the fact that Switzerland is a direct democracy is common knowledge. And it is, in fact, a direct democracy.

Re:How to stop internet crime

ELEMENTS of direct democracy does NOT make a direct democracy. Absolutely agree it is a well thought out system, though.

Re:How to stop internet crime

The idea is growing. http://www.metagovernment.org/wiki/Related_projects

Re:How to stop internet crime

[WgT2]

On the contrary, aren't open source projects an example of the success of leaderless democracy?

No.

Are there examples of open source projects that do not have a 'leader': I don't know, are there?.

But the most successful are the ones with a leader - it tends to foster focus and, thus, unity.

Re:How to stop internet crime

[crotherm]

Thats right! Direct democracy can never work. Which is what made Switzerland such a hellhole

Switzerland Pop. 7,591,500

U.S.A. Pop. 305,690,000

California Pop.36,553,215

So you see, direct Democracy sort of works in California. But as you see, the majority just put a minority into a second class status. I cannot image the horrors of letting over 300 million people vote on issues of Rights. Switzerland doesn't even have the population of Los Angeles county, 9,878,554. So your example is not very valid when talking about USA.

Re:How to stop internet crime

[badkarmadayaccount]

Great work, mods! /sarcasm

In Soviet Russia

Sesame seed bun is on two all spam patties, special sauce, lettuce, cheese, pickles and onions.

Re:In Soviet Russia

[RuBLed]

I for one welcome or "Next Generation" (tm) Soviet Russia overlords.

Let's turn TeliaSonera into a smoking crater next

[Nimey]

they should have terminated their contract with these assholes immediately instead of letting them back up.

Can they hear me now?

I can't find an abilena.podolsk-mo.ru any more. It's giving me an NXDOMAIN, though that could be the firewall here.

Pity that, I was thinking about pinging them a few million times. You know, as a connectivity test.

Re:Can they hear me now?

[Fastolfe]

Check the article for the IP address. Reverse DNS still resolves to that name, but it's not clear to me that forward DNS ever resolved.

Re:Can they hear me now?

[demiurgie]

Please, dont do this.
These servers were plugged off on early monday (local moscow time), as soon we got contact with podolsk-mo. The networks of bad guys were:
62.176.16.0/22 (they got from local ISP)
91.200.144.0/22 (client's network)

Uncongested Relief!

[IgnacioB]

I gotta say the past week without so much SPAM has been like having a 10 year head cold where I've become more and more congested...and just lived with it. To suddenly have the congestion stop for just a week....I almost forgot what life is SUPPOSED to be like without a clogged sinus of an Inbox. Damn spammers! I wish I could have one pointed out and slap them up side the head....and then let the other million of people get to slap them. Then after that slapfest.....find a person that bought something from a spammer and slap them. If there were ever a time for authorities to get involved...it would be now! Raid that ISP and you know they'd catch some guilty folks...some of which could flip.

Re:Uncongested Relief!

[magarity]

I wish I could have one pointed out and slap them up side the head
 
While we're having wild fantasies, I wish I had a time machine to go slap the idealistic hippies who originally designed the fledgeling network with practically no verification or security ON PURPOSE.

Re:Uncongested Relief!

slap?

far far too tame.

I'd like to stab them all in the brain.

Too extreme? These people waste time and resources all across the planet. And prey on everyone they can in anyway they can.

The world would be better off without them.

Re:Uncongested Relief!

[statemachine]

While we're having wild fantasies, I wish I had a time machine to go slap the idealistic hippies who originally designed the fledgeling network with practically no verification or security ON PURPOSE.

Speaking of wild fantasies about idealist notions... Ever wanted to be paid for work that wasn't asked for or justified at the time?

Re:Uncongested Relief!

[PhattyMatty]

Does anyone else think that this story could make an excellent antagonist-as-the-main-character film?

Re:Uncongested Relief!

[fuzzyfuzzyfungus]

Not too extreme; but too quick.

Re:Uncongested Relief!

[magarity]

Hey, we were trying to keep it within the real of the possible until you came along.

Re:Uncongested Relief!

[Earthquake+Retrofit]

The internet is not suitable for commerce. Never has been, never will be. If you want something that is, make it yourself. Old Hippy

Re:Uncongested Relief!

[mikael_j]

I wouldn't really say it was their fault since the network wasn't really meant to be flooded with untrusted nodes. Up to the late 80s/early 90s pretty much every node on the network could be considered "trusted" in one way or another, and doing something stupid like flooding the network with spam would have resulted in the node and its operator becoming persona non grata.

Then AOL happened...

/Mikael

Re:Uncongested Relief!

[Lincolnshire+Poacher]

> I almost forgot what life is SUPPOSED to be
> like without a clogged sinus of an Inbox. Damn
> spammers!

Why are you blaming the spammers?

Spammers will exist and profit until everyone on the Internet starts treating their e-mail addresses with the same privacy and regard that they extend to their home telephone numbers.

If you were to walk around town posting your phone number in every corner shop window with a demographic profile of yourself attached, would you then blame sales drones who called your number?

Re:Uncongested Relief!

Okay. So you know those annoying "send this warning to everyone you know" emails that go round and round...
What if, someone wrote a set of instructions: "how to know if your computer is part of a botnet"? Add some instructions for how to clean the mess up. Put a subject line on it like "Urgent! send to everyone you know", and send it out into the world? Think, maybe that would put a dent in the problem?

Re:Uncongested Relief!

[MilesAttacca]

Spam still happens, spam blasters can generate random likely-to-exist addresses and ship out all the e-mail they want in the hopes they'll hit a few that really do exist.

For example, andrew@aol.com, adam@aol.com, aardvark@aol.com...

Re:Uncongested Relief!

[Thuktun]

Spammers will exist and profit until everyone on the Internet starts treating their e-mail addresses with the same privacy and regard that they extend to their home telephone numbers.

You asked for it, wearing that address.

Re:Uncongested Relief!

[janrinok]

I have had the same experience. Much reduced spam for over 10 days but now it is almost back to earlier levels.

So much for little pleasures

[bfmorgan]

I did so like not having to have all that crap in my server's inbox

Re:Let's turn TeliaSonera into a smoking crater ne

[martinw89]

What, you mean TeliaSonera?

By the way, no one click on that link.

Alas...

[Amazing+Quantum+Man]

This is an example of the old saying "The Internet treats censorship as damage and routes around it".

Unfortunately, this is happening for the bad guys as well as us.

Re:Alas...

[Renraku]

The Internet could route around McColo too, if say, it were burned to the ground in the middle of the night. Or barring that, some 'hard pipe-hittin' thugs' somehow gained access to the building and went on a smashing spree. Anyone want to set up a donation box to hire somee thugs?

After all, what's this doing for us? It sounds almost like..well..treason! A foreign power is accessing systems in the United States and is using those systems to infect/enslave other systems. I wouldn't shed a tear if a black ops detachment traced the stuff back to its source and C4ed the offending equipment/operators in Russia or wherever they're coming from.

Re:Alas...

Donation? No. Somebody fetch me a pipe.

Re:Alas...

Send Bourne after them. Pistol with a silencer to the back of the head. Use an EMP on the datacenter.

Re:Alas...

"Unfortunately, this is happening for the bad guys as well as us."

Yes, us, the other bad guys. MU-HAHAHAHAHAHAH!!!

Re:Alas...

[wiz_80]

You would have to hire Bourne through a series of deniable cut-outs, though.

Basically a Bourne shell game.

Boom boom!

Re:Alas...

[RichiH]

You imply that I am a good guy. I object that statement.

This just in!

[LockeOnLogic]

After whacking down a mole, they continue to pop up!

Re:This just in!

They need bigger guns!

Re:This just in!

Slowpoke.jpg

Re:Let's turn TeliaSonera into a smoking crater ne

[moderatorrater]

I don't see why. 15MB/sec for 12 hours is rougly 650 gigs - a lot, but a single external hard drive could have pulled it off. At most they shaved a week off their time to get the botnets back up and running at full capacity.

Epic Fail.

[girlintraining]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers. Must have been pretty righteous. Of course, now it looks like they're going to have to play a game of whack-a-mole. What ISP shall die next at the hands of vigilante justice? Will my internet connection go down because someone uses my ISP for spam? If my computer becomes infected with malware, how long before I have 'researchers' digging through my private data? What will the next press release say -- Russian NAPs taken offline by massive DDoS initiated by "researchers" from the United States? How long until this kind of behavior sparks an international incident?

This is all eerily similar in scope, methods, and results to a real world issue; The war on drugs. You see, there's an economic incentive to do this. As long as that incentive remains, all you're doing is changing the face of the problem. Today it's hackers in Sweden. Tomorrow it's script kiddies in Russia. Next week it'll be unemployed programmers in Romania. And how can people justify this kind of behavior in the name of "research"? It's the same kind of attitude that the DEA has -- which is to use ever-increasing levels of force, and to continually lower the standards they have to adhere to in order to "catch more criminals". At some point it de-evolves to the Judge Dredd scenario... People driving around metting out instant 'justice', with no review or appeals process to speak of.

Re:Epic Fail.

[rossz]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Let's say you rent some space anf open a small convenience store. You work hard and make a modest living. Then your landlord rents out the shop next door to a crack dealer who's thriving business attracts a swarm of lowlifes who destroy the neighborhood. Are you going to be upset with the neighborhood watch when they make a fuss, or are you going to be upset with your landlord?

Re:Epic Fail.

[Fulcrum+of+Evil]

Question of the day: is this a mediocre troll or do you actually believe this? Your complaint doesn't exactly line up with the facts.

Re:Epic Fail.

[maxume]

People want drugs.

No one wants spam.

Your comparison of the two doesn't make any sense.

Re:Epic Fail.

At some point it de-evolves to the Judge Dredd scenario... People driving around metting out instant 'justice', with no review or appeals process to speak of.

...but he IS the law.

Re:Epic Fail.

[Seakip18]

If you have "malware" on your computer, your private data is already being exposed. It could just as well be a bot net operator whose combing through your data. Who'd you rather have digging through your infected computer?

Besides, the guys used possibly ill-gotten information that was true to convince the upstream provider to shut down the ISP. The experts didn't run into the data center, pulling plugs in a rage...though that might make a neat comic book. In truth, you should blame the upstream providers. Seriously, this isn't Governments running around meting out justice. This is companies listening to private organizations.

Re:Epic Fail.

[Microlith]

What are you smoking? Or rather, are you someone arguing a point without a clue.

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Whether they had any legit customers is suspect. If they did, I'm sure they would have come to light very quickly.

Will my internet connection go down because someone uses my ISP for spam?

No, your ISP will be notified about spam originating from its networks and they'll either deal with the user who is undoubtedly violating their TOS or the ISP's IP range will be entered into mail blackhole lists. Nothing new there.

If my computer becomes infected with malware, how long before I have 'researchers' digging through my private data?

Unlikely, and sadly you probably won't get punted off the net like you should. Instead, your computer will continue to be abused for the purposes of these criminals.

Your efforts to compare this to the drug war are completely irrational, as their causes and symptoms are wildly different. On top of that, there was no government involvement here.

Re:Epic Fail.

[girlintraining]

To use your analogy, sir... I would get a camcorder and record the activity. I would then turn that over to the police and wait for the wheels of justice to smash the dealer into hamburger. Then, as he could no longer pay rent, my landlord would find a new tenant who would very probably NOT deal drugs. So no, I wouldn't harbor any ill-will towards the landlord, why would I? My money's as good as the next person's, and I can't expect him to know in advance about something like this.

Re:Epic Fail.

Oh suck it.

You sound like a spammer trying to make his business looks good and honest. At the end of the day, it's still unsolicited garbage thrown at you about scams, possibly dangerous medication and viruses leading to botnets and DDoS attacks. There's absolutely no redeeming quality about this kind of activity. At least for drugs you can be sympathetic to the scarface type of drug overlords, the poor farmers trying to make ends meet and the employment of thousands of people...right? right?!

Re:Epic Fail.

[TheRealMindChild]

wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers. Must have been pretty righteous. Of course, now it looks like they're going to have to play a game of whack-a-mole. What ISP shall die next at the hands of vigilante justice? Will my internet connection go down because someone uses my ISP for spam?

Well, frankly, yes. An ISP that turns a blind eye to such activities as accused, is just as good as helping the bad guys. And guess what... this is a war where almost anyone is willing to take casualties to end it. Now the innocent bystanders know they were dealing with shit for an ISP and have a big sign in front of their face to move to someone more reputable. It is a win for everyone, except the nefarious spammers/botnet operators that were put out by it. There is no sympathy for these folks.

Re:Epic Fail.

[girlintraining]

So you're comfortable with your small penis, then? Okay, more seriously though -- if spam wasn't profitable nobody would be doing it. My comparison of the two is based on how people are attacking the problem, not the source of the problem.

Re:Epic Fail.

[robertjw]

Obviously some people do want spam, or at least buy things from spammers. If they didn't, no one would send out spam. His comparison does make sense, spam is big business. As long as it's profitable, it will exist. When it ceases to be so, it will go away.

Re:Epic Fail.

[Zak3056]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Wait, are we talking about the same "legitimate commercial enterprise" mentioned in this story, the one that apparently came back from the dead just long enough to pass off control of a botnet? If anything, this followup story proves that McColo's death wasn't just justified, it was long overdue.

Re:Epic Fail.

[imneverwrong]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

RTFA. They reported TOS violations to upstream providers. It's not like they firebombed the data center. Furthermore, the presence of legitimate clients isn't that great a defense - lots of criminal enterprises have "fronts" that do legit business to mask the illegal activities.

Re:Epic Fail.

[st0rmshad0w]

And when your drug-dealer neighbors are right over the border outside your PD's jurisdiction and the other PD has no interest in pursuing it?

To continue the analogy.

Re:Epic Fail.

[Cajun+Hell]

I would get a camcorder and record the activity. I would then turn that over to the police and wait for the wheels of justice to smash the dealer into hamburger.

And if the police do nothing?

Re:Epic Fail.

[girlintraining]

So, how long have you been beating your wife for, Mr. Fulcrum?

My complaint is that the first ISP that this botnet used is now in shambles. Now the backup ISP for this has gone active and transferred control to a third ISP in Russia. I'm just curious to find out how long those other ISPs are going to be around, and whether we as a community are prepared to deal with where this line of thinking ends. What's to prevent them from doing this every few months and leaving a trail of dead service providers in the wake of our new definition of "justice" as the botnet owners simply hop from one provider to the next?

Re:Epic Fail.

[maxume]

That's why your comparison doesn't make any sense. Drugs are a demand driven problem; attacking supply centers simply leads to more supply popping up. Spam is a supply driven problem; attacking supply centers leads to less spam.

If you really think that ISPs will continue to operate with gray customers, I guess you might think this is wack-a-mole, but ISPs have plenty of legitimate business and will have no problem ceasing doing business with spammers. This ISP didn't do that and learned a hard lesson. They were not a good-actor here.

Re:Epic Fail.

[girlintraining]

In this highly hypothetical situation, I'd go to the local TV station with my recording(s) and a statement from the police indicating their lack of interest.

And "to continue the analogy" if that doesn't work I'll just transform into Optimus Prime and destroy anyone who keeps on about hypothetical situations instead of using common sense.

Re:Epic Fail.

[Aladrin]

I believe the phrase is:

If you aren't part of a the solution, you're part of the problem.

Re:Epic Fail.

[Fulcrum+of+Evil]

What's to prevent them from doing this every few months and leaving a trail of dead service providers in the wake of our new definition of "justice" as the botnet owners simply hop from one provider to the next?

That's simple - ISPs that value their continued existence will enforce their anti-spam/botnet policies rather than look the other way and take money from anyone who can pay. This isn't vigilantism, it's the upstream ISP dropping connectivity for contract violations when informed of the situation at one of their downstreams.

Re:Epic Fail.

[Falconhell]

Sigh

Way to ignore the obvious facts here.

The ISP had the option of blocking off the spammers.

They did not. Eventually, ISP who do not stop spam will be disconnected. The ISP that supported this botnet SHOULD be a shambles, they became that when they decided not to stop their clients spamming.

What will prevent them from going to new ISP is that ISP probably dont like being put out of business completely.

This should be a salutory lesson for the next ISP that is told they are sending spam.

I see no ethical issues, unless you are a spammer.

But I suspect troll is closer to the mark.

Re:Epic Fail.

[kv9]

you're quite the busybody there, aren't ya? yet you complain about other busybodies for knocking spammers offline. make up your mind Optimus Second.

Re:Epic Fail.

[st0rmshad0w]

And if it's not against the law right over the border?

Also, I should point out you ran with the hypothetical instead of reverting to the car analogy.

Re:Epic Fail.

[Shikaku]

It's the same exact problem.

Even if I pull numbers out of my ass and say that small % of the human population want illegal drugs, there's also a small population that responds to spam, sadly, wanting cheap viagra, etc.

The difference next to nothing.

Re:Epic Fail.

[Cajun+Hell]

So you're comfortable with your small penis, then?

Why do you think I eventually stopped beating my wife?

Re:Epic Fail.

[Plugh]

The Epic Fail is simply describable as "Government - always slow, expensive, stupid, and with perverse unintended consequences"

That may sound glib, but in a nutshell that's what economists like Milton Friedman and Murray Rothbard based their life's work upon.

Re:Epic Fail.

[girlintraining]

> Drugs are a demand driven problem; attacking supply centers simply leads to more supply popping up.

But if there wasn't a supply in the first place, there wouldn't be a demand problem... or so goes the logic. Attacking supply centers leads to higher costs as supply has diminished. Because the price is now higher, there's now more incentive for an agent to enter the market who can produce at a lower price. There's a few extra steps in this that make calling it either a supply or a demand problem a meaningless distinction; It's a self-balancing system.

E-mail is cheaper than a millionth of a penny in actual costs, so I don't see any way to resolve the issue. If there's even one person who would reply and buy $40 worth of penis enlargement pills, that one person has just paid for about 20 billion e-mails to try to find the next person. Attacking the suppliers doesn't remove the economic incentive, which was the entire point of my original post!

It's a self-correcting system... At best they'll reduce supply to the point that new players enter the market who might be better prepared and vested in evading detection to protect their profits. This, of course, makes them even more difficult to detect and then turn over to the authorities to face prosecution. Taking away their means of production accomplishes nothing because the cost of re-entering the market is effectively zero.

The only long-term strategy that will have any impact is to use the criminal justice system to tag and bag these people. And at that, it's not a solution but a band-aid, but it will help more than vigilantism.

Re:Epic Fail.

[DarkOx]

I must agree while it seems more difficult this is a problem that must be fought both at the source and the target. Its one thing to go after bot net operators but someone should be going after negligent individuals who allow devices they are responsible for to become bots. I think the network must be managed. I think internet access SHOULD BE LICENSED, we don't let you drive a car on our public road without one because the hazard it would pose to others persons and property. We should not let you on our public network where your improperly operated equipment might threaten the use of mine and others.

There should be an exam that all individuals with access must pass that is demonstrative of some learning about how tcp/ip works, what firewalling is, why maintaining your systems is important. I don't think you should be liable for something a cracker does with your system after you have been 0wn3d because that would pose to much risk but you should get cut off. If you can't demonstrait that you attempted to maintain your systems they you should not be let back on.

Re:Epic Fail.

[girlintraining]

Yeah, that's really ethical -- since everybody else is robbing the store, I suppose I can help myself too.

Re:Epic Fail.

[sqlrob]

if spam wasn't profitable nobody would be doing it

Not necessarily. Spam may not be profitable, spamming may be. If you convince someone to pay you to spam for them, whether or not the spam itself generates any profit, you hustled them out of the money.

Re:Epic Fail.

[MarkvW]

Life doesn't work that way. Dope dealer after dealer would flock to the complaisant landlord--despite the busting of the previous dealer--just like spam/malware pushers would flock to the complaisant ISP after one got caught.

And spammers are harder than drug dealers to prove guilty beyond a reasonable doubt.

If an ISP facilitates trespass on my computer, then the ISP is WRONG and should be stopped. That's my story, and I'm sticking to it.

Re:Epic Fail.

[girlintraining]

The innocent bystanders with perfect knowledge of the situation defense... I can't believe you got a +5 for trying to tell people they should know better. "My car exploded because of defective fuel lines!" "Well you should have expected that since everybody knows the manufacturer was poor quality."

Re:Epic Fail.

[aproposofwhat]

They obviously aren't a legitimate commercial enterprise, though - their actions in attempting to transfer control of the botnet on Saturday prove this.

To use your 'war on drugs' analogy, they are like a bunch of dealers operating under cover of a pizza delivery service.

They get shut down, and people like you whinge because you liked their pizza, even though you never bought their drugs.

Get over it and choose a different pizza joint.

Re:Epic Fail.

[girlintraining]

> Whether they had any legit customers is suspect. If they did, I'm sure they would have come to light very quickly.

You're making an assumption, just like they did.

> No, your ISP will be notified about spam originating from its networks and they'll either deal with the user who is undoubtedly violating their TOS or the ISP's IP range will be entered into mail blackhole lists.

That isn't what happened here, sir.

> Unlikely, and sadly you probably won't get punted off the net like you should. Instead, your computer will continue to be abused for the purposes of these criminals.

> Your efforts to compare this to the drug war are completely irrational, as their causes and symptoms are wildly different. On top of that, there was no government involvement here.

They're both caused by socially disadvantaged people who are desperate for a solution to their problems. The symptoms are a proliferation of product that the majority of people don't want. And the solutions thus far have both been aggressive prosecution, vaguely defined law enforcement actions, public denunciation, etc. It's not irrational to compare them -- they're both unwanted, and they both have unintended consequences.

Right, because the operator should be punished for the manufacturer's failings.

Re:Epic Fail.

[Seakip18]

You didn't answer the question. By you being careless/clueless enough to become infected, your data is already exposed for anyone who cares to pay. Who would you rather have digging through your data?

And, by your poorly chosen analogy, researchers studying the malware generated traffic of your data back to the operators are "robbing the store".

Just because they're in a store, doesn't mean they're stealing. Hell, they may be trying to stock up on TP. I know I would.

Anyways, you're new here. Welcome to /.

Re:Epic Fail.

[Nefarious+Wheel]

...if that doesn't work I'll just transform into Optimus Prime...

Good telco, that.

Re:Epic Fail.

And when the police force the entire building to be shutdown because of the meth lab, and you are unable to do your business?

Re:Epic Fail.

[dammy]

Question is why wasn't the ISP watching it's customers for this obvious violation of ToS? If they just wanted the money from the bot netters, they deserve whatever happens to their company.

Re:Epic Fail.

[smoker2]

Where do you get "vigilantes" from ? Vigilantes are traditionally people who operate outside the law. Nothing done by either the Post or Security Fix was outside the law. They did nothing more than I do when I notice one IP address has been hammering my SSH port for a few hours. I copy the relevant logs and show it to the abuse admin at the owner of that IP block. They even ask you to do that* ! Maybe you don't include running a botnet in "abuse" but the rest of us do.

I repeat, how do you get "vigilantes" out of that ? I could understand it if the researchers cut the fibre leading to the building, but reporting the malicious activity to the persons who were carrying it ? I also would prefer it if you used the term IPP (internet presence provider) rather than ISP, as ISPs usually provide connectivity whereas IPPs provide hosting. They are not always the same (type of) organisation. No ISPs suffered through this action as they were the ones taking action, in fact their "tubes" were probably a bit less clogged as a result.

Get a grip !
Anyway, if you were unlucky enough to be using McColo for hosting, then I wouldn't suggest you trust the integrity of your own sites or machines. Better off moving hosts and using verified backups.

]$ whois 86.128.88.75

[Querying whois.ripe.net] [whois.ripe.net] This is the RIPE Whois query server #1. The objects are in RPSL format.

Rights restricted by copyright.
See http://www.ripe.net/db/copyright.html

Note: This output has been filtered.
To receive output for a database update, use the "-B" flag.

Information related to '86.128.0.0 - 86.135.255.255'

inetnum: 86.128.0.0 - 86.135.255.255
remarks:
remarks: * Please send abuse reports to abuse@btbroadband.com *
remarks:
netname: BT-CENTRAL-PLUS
descr: IP pools
country: GB
admin-c: BTCP1-RIPE
tech-c: BTCP1-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to abuse@btbroadband.com
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
source: RIPE # Filtered

role: BT CENTRAL PLUS - OPERATIONAL SUPPORT
remarks:
remarks: * Please send abuse reports to abuse@btbroadband.com *
remarks:
address: BT
address: Wholesale
address: UK
abuse-mailbox: abuse@btbroadband.com
admin-c: PC487-RIPE
tech-c: SR401-RIPE
nic-hdl: BTCP1-RIPE
mnt-by: BTNET-MNT
source: RIPE # Filtered

Information related to '86.128.0.0/10AS2856'

route: 86.128.0.0/10
descr: BT Public Internet Service
origin: AS2856
mnt-by: BTNET-MNT
source: RIPE # Filtered

Information related to '86.128.0.0/12AS2856'

route: 86.128.0.0/12
descr: BT Public Internet Service
origin: AS2856
mnt-by: BTNET-MNT
source: RIPE # Filtered

Re:Epic Fail.

[girlintraining]

I think you missed the point -- often times, a system can become infected without the user taking any action. It can't be the user's fault 100% of the time unless the technology is perfect, flawless, and that isn't true. Neither of which addresses the issue of whether it's okay for someone to enter my system just because they flashed a "researcher" badge.

Re:Epic Fail.

[maxume]

A significant percentage of the human population (in the United States) wants illegal drugs.

Spam is driven by the people purchasing the spam runs, not by the people who get the spam. I guess there might be several million people who repeatedly buy penis enlargement pills and other drugs over the internet, but I don't really think so.

Re:Epic Fail.

More like "You now have no reason to acknowledge that your car is going to blow up in your face. Any putting off getting a new car only gets you what you deserve"

Re:Epic Fail.

[tylerni7]

I think a better analogy to this would be if your landlord rented out a special space where people could sell things (kind of like a mall) and many of the tenants used their rented space to sell drugs, or child pornography, or guns, or other illegal things.
Now for some reason, it turns out that the people renting out space to do illegal things are foreign ambassadors, and the government can't directly touch them.
I don't know about you, but I think it makes sense for the government to go after who they can, and take down the landlord, even with the legitimate tenants.

On a more direct note, I don't think that a lot of commercial enterprises were using McColo. I am quite sure that McColo's unique stance on legal matters made the cost of it far more than a normal provider, and there certainly is no lack of commercial hosting providers. Further, McColo was very well known for questionably legal activities. If you were using their hosting services, even if it was for legal things, chances are you were well aware what everyone else was doing.

I really don't see what the problem is, it's not like the government did this without warning. You can bet McColo has gotten numerous notices requesting that they stop helping spammers and bot-net controllers, but they simply chose to ignore them. They were knowingly participating in illegal activities, so the government shut them down. Seems pretty simple, really.

Re:Epic Fail.

[DaveV1.0]

WTF? Are you one of those spammers and botnet herders? You are a whiny little ass, you know that? And, you are probably a drug abuser, judging from your moronic WOD comments.

This POS ISP could have taken care of the situation but didn't. So, people went to the ISPs upstream provider and reported the lack of action and violation of TOS. You know, they followed the fucking process.

Tell me, are you one of these assholes who thinks they should be able to run roughshod over everyone else then cries like a little bitch and says it is so unfair when the tables are turned? You sure sound like it.

Maybe you should go back down into your mommy's basement, light up, and waste the rest of your life in a haze. It is not like you can actually deal with the real world and personal responsibility.

Re:Epic Fail.

[girlintraining]

The facts do not support the conclusions here! Fundamentally, the argument that people keep siding with is "it's okay to nuke an ISP that harbors spammers." This argument is made on emotion -- the frustration we all share about receiving spam and it's negative impact. Those emotions don't consider the unintended consequences, which is that innocent people can be harmed when this course of action is taken. The legal system in this country is heavily slanted towards keeping the innocents out of the line of fire at whatever cost; An ethical principle I happen to agree with.

The ISPs need to be held legally accountable for harboring spammers, which means using legal methods to make the cost of doing so high enough that they comply. By going through the backdoor and shutting off their connections, this weakens the entire market and the infrastructure of the internet at large -- because we are implying then that our personal ethics are more important than our legal obligations. What we're saying here is that agents in the market of providing internet services are free to excercise their own judgement -- which also means now they are liable for things like copyright infringement, or people passing child porn through their network, etc. It opens the door to accusations of selective enforcement, discrimination, and worse.

And calling me a troll, or saying that I support spammers, or that I am a spammer... Is a cheap way of ducking an uncomfortable truth.

Re:Epic Fail.

[Suzuran]

The problem is, once you give the government jurisdiction to decide who can and cannot use the Internet, they will use that power to further their own interests rather than yours.

No politician will ever vote to decrease his own power.

Re:Epic Fail.

[smussman]

I believe the phrase is:

If you aren't part of the solution, you're part of the precipitate.

Re:Epic Fail.

[tylerni7]

To start, having my infected computer crash yours is not even close to having my car crash into yours. I'm sorry but that just makes no sense whatsoever...
Besides that incredibly flawed analogy, I have some questions, such as:
*Who would administer these exams?
*How does one go about getting internet access enabled again?
*Is this controlled at the government level or by the ISPs?
*What happens if a country or ISP doesn't comply, do we not allow them on the internet?
*How do you verify that your license is valid?
*Who pays for the tests/how much does a license cost?
*How does this work if, say, I go to my friends house and use his/her internet connection?
*How does one verify that your computer has been compromised, and not that you are just doing something slightly out of the ordinary?

There are dozens if not hundreds more but I'm going to stop there. I really hope you weren't being serious...

Re:Epic Fail.

[Hotawa+Hawk-eye]

Let's use a different analogy. You rent one half of a house from your landlord. The person who rents the other half adopts a puppy, who uses your flower garden as a bathroom. Your fellow renter refuses to train their puppy to avoid ruining your garden, despite repeated requests to do so. So you take pictures of your fellow renter with their dog and hand them over to your landlord, who terminates your fellow renter's lease for violating the "no pets" clause of the lease.

Re:Epic Fail.

[DaveV1.0]

First and foremost, you are not a we. You do not speak for me or anyone other than yourself, so stop using we.

You keep forgetting that McColo had a contract with it's ISP which stated that it would not support spam and malware and that McColo completely ignored that part of the contract.

What about McColo's legal obligations? What about McColo's legal obligations to the upstream providers to uphold the contract between the upstream providers and McColo?

Do you want to know what our legal obligation is? It is to report spammers to their ISPs. And, if that ISP will not do anything about the spammers, it is our legal obligation to report the ISP to the upstream providers.

You are not a troll. You are whiney, immature asshole. Grow the fuck up.

Re:Epic Fail.

[DerekLyons]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers.

Let's say you rent some space anf open a small convenience store. You work hard and make a modest living. Then your landlord rents out the shop next door to a crack dealer who's thriving business attracts a swarm of lowlifes who destroy the neighborhood. Are you going to be upset with the neighborhood watch when they make a fuss, or are you going to be upset with your landlord?

Making a fuss is writing down the license plate numbers of vistors to the crack house and tipping off the local news media to the lack of police intervention. Making a fuss is standing on the sidewalk handing out literature and carrying signs. Snipping the power and phone lines, turning off the water and gas, nailing plywood over the windows, taping up the ventilation systems, and changing the locks on the door? That goes well beyond 'making a fuss'.

Re:Epic Fail.

[DerekLyons]

Well, frankly, yes. An ISP that turns a blind eye to such activities as accused, is just as good as helping the bad guys.

Funny that - you're willing to take ISP's to task for turning a blind eye to spammers... But I bet you'd be the first to foam at the mouth if they shut down a file sharer.
 
 

nd guess what... this is a war where almost anyone is willing to take casualties to end it.

Almost anyone without scruples or morals, maybe. Those of us with both disagree. We actually care about the rights of others.

Re:Epic Fail.

[Surreal+Puppet]

As i understand it, that is exactly what the security researchers did. What happened (by analogy) was that the person that the landlord in turn rented from kicked him out. I don't think you can really place the blame on the security researchers in this case.

Re:Epic Fail.

[WhatAmIDoingHere]

Exactly, the ISP didn't get shut down, a group of security researchers got the ISP to shut off a customer that was breaking the terms of use.

Re:Epic Fail.

[Fulcrum+of+Evil]

innocent people can be harmed when this course of action is taken.

So what? This always happens. If we stopped doing things every time it could harm an innocent, we wouldn't do anything.

we are implying then that our personal ethics are more important than our legal obligations.

What you mean we, paleface? Anyway, what of McColo's legal obligations to its upstream? Oh yeah, they blew them off and got turned off.

Re:Epic Fail.

[Achromatic1978]

Really? You're claiming people are legally obligated to report spammers to their ISP?

In the words of Wikipedia, cite please. Because you're talking out of your ass.

You then claim that people are legally obligated to report ISPs to their upstream providers. I'm laughing, now.

Again, cite please.

It is also not anyone but McColo and their immediate upstream provider and the civil court system to mediate contract disputes, not anyone else. In fact, there's a concept you might want to learn about, "tortious interference", relating to third parties interfering in contracts between a first and second party.

Re:Epic Fail.

[shentino]

I thought it was mccolo's upstream that cut them off.

As to whether or not the goverment told them to cut off mccolo, I don't know.

Re:Epic Fail.

[Kythe]

Wow. And here I was going to say that this latest development (if the previous ones weren't enough) seemed to be rock-solid evidence that the people who run McColo knew exactly what they were hosting, and should go to prison for a long, long time.

Re:Epic Fail.

[zippthorne]

Ahh, but what if there are two groups of innocent bystanders, one of which is two or three orders of magnitude than the other, and protecting one means failing the other. Then what?

Re:Epic Fail.

[adolf]

Selling spam is not hustling any more than selling cars, furnace repair, or sex is: In any case, money is exchanged for goods and services.

I certainly get my share of spam, so I'd guess that on a given day they're generally doing pretty well at performing the services they were hired for.

Re:Epic Fail.

[Khyber]

QUICK NOTE TO SLASHDOTTERS:

Do not feed the troll. If you can't look at the name and immediately recognize 4chan retardism, you should probably NOT be on slashdot.

Re:Epic Fail.

[WTF+Chuck]

Damn, no mod points for me. I was wondering if a troll could be modded as "over rated".

If an ISP, or any of their customers, are in violation of the upstream provider's TOS, then it is the upstream provider's decision on what to do about the matter. I would hope that most upstream providers would notify the ISP that they are in violation, and give them the opportunity to correct the situation, but it could also very well end up with the ISP being disconnected. Very likely the contracts in place allow the upstream provider a lot of discretion in how to handle the matter. It was, after all, the upstream providers that pulled the plug after learning of the ISP's nefarious actions. This has nothing to do with criminal law, but rather civil law. If the ISP feels that it was disconnected for TOS violation unfairly, then they have every right to pursue remedy in the civil courts. I fail to see how breach of contract in civil law has anything to do with criminal laws dealing with drugs.

As for what happens when your machine is compromised. You should have known better. There is no way you can legitimately play the innocent victim. You are here on slashdot which implies that you are not a "Joe Luser" that doesn't know how to secure your systems from 99% or more of the malware that is out there. Please don't advocate for "Joe Luser" either. Problems like malware, botnets, and SPAM will continue to grow as long as "Joe Luser" is treated with kid gloves. It would suck to made an example of because of ignorance, but examples need to be made so that other "Joe Lusers" will wake up and learn enough to take care of their machines.

Re:Epic Fail.

[Falconhell]

Me ducking uncomfortable truth? LOL.

You said

The ISPs need to be held legally accountable for harboring spammers, which means using legal methods to make the cost of doing so high enough that they comply. By going through the backdoor and shutting off their connections,

Do you understand what a contract is?

Its very easy. They signed a terms of service agreement, then broke it, and refused to comply. There is nothing "backdoor" here.

You make alot of claims, but offer no evidence to support your claims. Nice try at a scare campaign, but "Epic fail"

The rest has been covered nicely by davev1.

Re:Epic Fail.

[billcopc]

You foolishly assume the police gives a fuck about you.

They don't. Video evidence or not, they just don't care. They work a shit job, for shit money, and get treated like shit by large swathes of society for being "party poopers". Do you sincerely believe they will take special interest in your well-being and put their own at risk to chase down small-time hoodlums ?

Re:Epic Fail.

[Falconhell]

The wisdom of Spock applies I think.

Sometimes the needs of the many outweigh the needs of the few.

Re:Epic Fail.

[billcopc]

QUICK NOTE TO SLASHDOTTER #864651:

Do not anger the /b/tards, for they are unsubtle and quick to anger! If you can't look at the thread and immediately recognize Slashdot groupthink, you should probably NOT be on the internets.

KTHXBAI!

Re:Epic Fail.

[Seakip18]

Other folks have already pointed out the moral relativity of the situation. I'm not going to go into how you expect to find a perfect technology that resolves sticky situations or relieves us of these "I'll take what we know is best for now and later"

Car Analogy time! Do you hold auto makers responsible for vehicle deaths because they didn't engineer them to stop perfectly or avoid accidents, regardless of the driver's skill? Do you not applaud the efforts of those trying to make those same vehicles safer?

Re:Epic Fail.

[_Sprocket_]

I wonder how all those security researchers feel after destroying a legitimate commercial enterprise and affecting a lot of people who weren't spammers. Must have been pretty righteous. Of course, now it looks like they're going to have to play a game of whack-a-mole. What ISP shall die next at the hands of vigilante justice? Will my internet connection go down because someone uses my ISP for spam? If my computer becomes infected with malware, how long before I have 'researchers' digging through my private data? What will the next press release say -- Russian NAPs taken offline by massive DDoS initiated by "researchers" from the United States? How long until this kind of behavior sparks an international incident?

Please feel free to show where in this case the researchers implemented a DDoS or otherwise took matters in their own hands to remove systems' network access. Otherwise, nice try at fear-mongering.

This is all eerily similar in scope, methods, and results to a real world issue; The war on drugs. You see, there's an economic incentive to do this. As long as that incentive remains, all you're doing is changing the face of the problem. Today it's hackers in Sweden. Tomorrow it's script kiddies in Russia. Next week it'll be unemployed programmers in Romania. And how can people justify this kind of behavior in the name of "research"? It's the same kind of attitude that the DEA has -- which is to use ever-increasing levels of force, and to continually lower the standards they have to adhere to in order to "catch more criminals". At some point it de-evolves to the Judge Dredd scenario... People driving around metting out instant 'justice', with no review or appeals process to speak of.

Ahhh. The "War on Drugs." I see where the fear-mongering came from; taking notes.

This so-called "War on Drugs" has little resemblance to this situation. Other than the fact that both of these involve crime. Unless you think this is some sort of cultural war as well?

So let's widen your scope a bit. Crime in general. Usually an economic incentive. Often implementing tactics and strategies that haven't changed for decades, if not centuries (heck... getting closer to apples-to-apples, many con games are over a hundred years old and still employed today... digitally even). Still illegal, still prosecuted. I suppose this is the wrong mind-set? We should just stop? Accept crime?

I don't condone all the horror-story scenarios you're suggesting. I'm no fan of the "War on Drugs" or the DEA. I don't support private DDoS tools or counter-intrusion methodology (Welchia is a nice object lesson). But then... NONE of that has anything to do with this case. But they do make nice boogey-men, don't they?

Re:Epic Fail.

[wiz_80]

Basically you want to go back to the good old days when it was really hard to get online at all, so the barrier to entry was high. Consumer ISPs lowered the barrier to entry, allowing all sorts of people online.

I do not think that the consequences have been purely negative, or even negative on balance. My parents are nobody's idea of computer scientists, but I am happy to be able to talk to them over Skype. On the other hand, if they got infected they would have no idea of how to fix it, or perhaps they would not even notice that they had been infected. I address this in the Correct Way: technology and education. They have a firewall, the OS and major apps all have auto-update, and they know what is and is not Safe On The Internet.

We make people take driving exams because of the probability of death and property damage associated with incompetent driving. The internet does not really have the same level of danger associated with it.

As an aside, I would be all in favour of mandatory driving licence re-tests every ten years or so, as well as adding motorway driving, night driving, and skid-pan sessions to the training. That is a lot more likely to make a difference in the real world than reducing the level of spam.

Re:Epic Fail.

You've got a good point, but clearly it CAN work in some cases.

For example, take driver's licences. It should be the same situation you're describing, with the government refusing to hand them out to people it doesn't like and all that, yet clearly, that's not happening: pretty much everyone who wants a driver's licence can get one (and for those who can't, the problem is not a refusal of the government to issue a licence).

I still don't think the GP is right, not at all - he's way over the top, and even if the idea WAS good, it wouldn't work since it'd require immediate total cooperation from every nation on the planet at once -, but you're painting with too broad a brush as well.

Re:Epic Fail.

BFD. Perhaps ISPs will start A) having a use policy that prohibits this kind of activity (most already do), B) they will actually enforce it, and C) they'll check into what kind of customer they're going to have before signing them up.

If ISPs get wary about accepting major new customers without first checking into the experience at previous ISPs, good. If ISPs are frightened about their financial future if they mistakenly accept a spammer into their service, good. If ISPs adopt draconian, "pull the plug first, before the damage is done" policies if spammers ever do make a home on their servers, good.

Heck, when people rent an apartment it isn't uncommon for the landlords to request a reference. ISPs need to stop assuming that because someone hands over the money in advance for some huge amount of bandwidth, it won't matter to the rest of their service if the renter is the equivalent of a crack dealer and the last apartment the customer rented was trashed or burned to the ground.

No, I don't have any sympathy for ISPs that sign up customers "no questions asked" or who don't enforce their own policies until the violation is acute. And if an ISP does run their business that way, they better charge those customers A LOT of money for that kind of discretion, and if the customer causes huge problems anyway, well, that's the kind of business risk you chose to make.

You make it sound like an ISP that suffers because of the activity of their customers is some innocent victim. No, they are complicit either by getting paid off to look the other way or because they were negligent to the point it put their business at risk. It's called bad management.

Re:Epic Fail.

[blueZ3]

Ethics ARE more important than legality.

Personal ethics should prevent you from doing any number of things that are both legal and unethical. And to jump directly to Godwin here: personal ethics should have prevented citizens of Nazi Germany from performing their legally required duty of turning Jews over to the SS.

If your personal ethics don't trump your "legal obligations" then you don't have any.

Re:Epic Fail.

Posting Anon to maintain my moderation but...

This wasn't a generic ISP doing this - they were ACTIVELY assisting the malware operators and not just botnet guys either. Their IPs were well known to host malicious content as well as serve as VPN endpoints to servers elsewhere controlling botnets. When a complaint was properly filed against sites in their subnet their MO was to placate the complaining individual with emails to the effect that action was going to be taken - and then move the content in question to another IP block also owned and operated by the SAME company!

So in your landlord analogy the police - to include feds - ignore your reports of crime including video tapes of the activity. Meanwhile the landlord tells you that yes it's a BIG problem and he'll fix it - by promptly moving the tenant to another apartment in the same building. Oh and it wasn't just one tenant it was dozens and dozens of them.

Your argument against being a vigilante (which I've modded up as it's a good point to make) here would hold more water if you could cite even ONE legitimate client of these people. So far I've yet to hear of ANY business screaming about having been put offline along with the crap dealers. Has anyone?

BLKMGK

Re:Epic Fail.

Drugs are a demand driven problem; attacking supply centers simply leads to more supply popping up.

But if there wasn't a supply in the first place, there wouldn't be a demand problem... or so goes the logic.

So to use your own analogy of the War on Drugs from earlier, if we were to spray all the coca fields in Columbia with herbicides and eliminate or at least cut back cocaine production, the cocaine problem would go away? Hah, hell no it wouldn't, people WANT cocaine, that's why its worth hundreds of millions of dollars. Nobody WANTS spam in their inbox. drugs have an actual demand, spam does not, therefore, decreasing the supply of spam does not automatically mean an increase in price. Go back to ECON 101

Re:Epic Fail.

[dangitman]

Fundamentally, the argument that people keep siding with is "it's okay to nuke an ISP that harbors spammers." This argument is made on emotion -- the frustration we all share about receiving spam and it's negative impact.

They weren't exactly nuked. They violated the contract and Terms of Usage of their upstream ISP. So, their ISP voided their contract. What's wrong with that? It's well within their legal and moral rights. In fact, it's the right thing to do.

I'm not sure why non-spammers would use such an ISP in the first place. And if some innocent users do get cut off, they can easily move to another ISP, can't they? After all - they aren't spammers.

Re:Epic Fail.

But if there wasn't a supply in the first place, there wouldn't be a demand problem... or so goes the logic.

There is neither logic nor common sense applicable to that argument (regarding illegal drugs). First, on a practical level, a sustained 100% effective prohibition has never been implemented (that I know of), and it would need to be sustained for the lifetime of anyone who had used those particular substances (i.e., the risk/dependency/addiction does not go away although it can be indefinietly suppressed). On a theoretical level, people take drugs for reasons beyond 'getting hooked', 'peer pressure', etc. Pain management is one reason not likely to go away. Others are escapism or just a desire to 'party'. Ergo, prohibition is a manage-the-issue approach not a solve-the-issue approach. Some problems deserve a manage-the-issue approach - e.g., - DUI. We won't prohibit the "D" or the "UI" but only joining of the two on public roads.

Re:Epic Fail.

Okay, more seriously though -- if spam wasn't profitable nobody would be doing it. My comparison of the two is based on how people are attacking the problem, not the source of the problem.

"SPAM" can be profitable as an issue and a business without sending spam being effective or profitable. By way of example, much of our spam is people wanting to sell email lists. They claim these are targeted, opt-in lists (almost 100% invariably, a falsehood). This is a person marketing (spamming) to people who themselves may have a desire to market and/or spam. I.e., this is B2B spam. They may be profitable sellings lists of addresses.*** Were we to buy their services and implement accordingly, then we may lose money on it, get disconnected from our ISP, see our email and IPs blacklisted, etc. Our reputation could be tarnished causing the loss of big customers. So, it is entirely possible for the initial spammer to make $1000 selling a list or service while our $ten-million biz goes out business. Does that make spam profitable?! In a microcosm. Just like the rich-long-lost-Nigerian uncle approach works with a vanishingly small % of the population. However, the profitablility doesn't matter until people know - all people know - that spam is the path to ruin. If you already live in ruin - rich, Nigerian uncle - then this approach won't work. More of our SPAM that servives the automatic filters is B2B. IMO, it is the worst, most vile SPAM. It is also the low-hanging fruit of the problem. It could be stopped or greatly reduced by a change in our culture and laws (e.g., repeal CAN-SPAM which would let private individuals sue spammers again).

*** It is also possible the profitable aspect is one link up the chain. E.g., there is a lot money in selling selling. I.e., back in the mail-order era, you could buy a great business plan for $20. The plan amounts to little more than sell the plan you just bought. I.e., it is a non-pyramid ponzi scheme. Some people will always profit by being more persuasive, but on net, it is a losing proposition.

Re:Epic Fail.

[badkarmadayaccount]

Not troll. Totally agree. Please mod up +1.10^10000.

Re:Epic Fail.

[shentino]

Filesharing and botnet operation are hardly equally evil.

Re:Epic Fail.

[DerekLyons]

That depends on one's point of doesn't it?

this is great news

My penis thanks them, my very very large penis which is located in a recently refinanced home, that is.

Now as soon as my good friend MR AUSTINE OWOH is able to complete the transfer of my long lost uncle's estate from probate in Nigeria to my onshore checking account, I will be perfect, perfect with a very very large penis, that is.

Police action?

Doesn't the USA control the root dns servers? can't they block all requests to the offending .ru server?

Re:Police action?

[CannonballHead]

No, only about half of them.

Re:Police action?

[DiLLeMaN]

And even if it were possible to get all the root servers to agree on tossing the bad guys out, the bad guys would just switch to using IPs. I don't know if it's possible, given the "route around obstructions" nature of the net, to "remove" routes to the offending servers, but I doubt that. Besides, that'd have to happen in Russia.

On the other hand, given Putin's heroic track record, he just might personally find and snuff the spammers out. Wasn't there a spammer killed in Russia several years ago?

Shit mail filters

[Idiomatick]

I have gotten one item of spam in the 3...4? years i've had gmail and no false positives. I have some bacn because i'm too lazy to unsubscribe. Now my phone on the other hand... i get about 30calls a day for bs i dont want.

Re:Shit mail filters

[lysergic.acid]

you mean your phone doesn't have a "Mark as Telemarketing" button?

Re:Shit mail filters

[Idiomatick]

Nah i tried the keyphrase "fuck off if you fucking call again I will hunt you down kill you and everyone you ever loved"
 
I got called by another person from the same company exactly 30minutes later. Company was GreenLawn... They also stuck their little 'this lawn was mantained by green lawn watch for poison' signs in my lawn for months. I mean sometimes more than once a week... I bought their service once 2years ago (lawn-aeration). In the end i really wish i had a "Mark as Telemarketing" button but my current system of never answering the phone seems to be working. I gave up last week when i answered the phone and the msg started 'thank you for waiting a sales rep will be with you shortly to...' ON FUCKING HOLD. I also get a lot where the line just goes dead and i get a 2minute long BEEEEEEEP on my answering machine.
 
  Sorry for OT

EMP to oblivion.

[Neanderthal+Ninny]

Or use a modified HARM missile on them.
We should have removed all of the infrastructure, not only removed the connection to the internet, so they don't start over again from another place.
These female donkey anal orifices are like cancer in which you remove one tumor but it metastasize to another site to grow again. We need to remove this cancer from the internet.

Final Solution:

[Duncan+Blackthorne]

Kill them with FIRE. NOW. Before they spread AGAIN.

Re:Final Solution:

I say we take off and nuke 'em from orbit. It's the only way to be sure!

Re:Final Solution:

[Nimey]

I'd settle for a Grand Slam-sized bomb casing filled with a fuel-air explosive or cluster bomblets.

Nice use of Godwin, there. ;-)

Re:Final Solution:

Nuke them from orbit. It's the only way to be sure.

Re:Final Solution:

[pbhj]

the only way to be sure is to nuke them from orbit .. or something

Re:Final Solution:

Nuke them from orbit. It's the only way to be sure.

Re:Final Solution:

Perhaps we should nuke the entire site from orbit?

It's the only way to be sure.

Re:Final Solution:

[jabber]

I say we dust off and nuke the site from orbit. It's the only way to be sure.

Re:Final Solution:

I wish I could mod you down for that...

"Final Solution" and "Kill them with fire"?

Images of The Holocaust, anyone?

Re:Final Solution:

[Duncan+Blackthorne]

Serious, aren't we? Perhaps a bit self-important, too? Sheesh.

So who was the smart guy

[slashdotlurker]

who let them back up ? Contracts be damned.

Re:So who was the smart guy

One more reason to boycott TeliaSonera. As if their previous criminal (CSO) activities and the current service disruptions where not enought...

So what's YOUR solution?

[SIGBUS]

Just let the spammers, malware pushers, and con artists clog up the net?

The real question is, who's protecting these scumbags and why? Why has it taken so long to do anything about them?

Re:So what's YOUR solution?

[girlintraining]

1. I don't have a solution, I'm just considering the ethical aspect.

2. I'd rather deal with spam, malware, and con artists clogging the internet than vigilantes blowing holes in it.

3. As to who's protecting them -- it's not a question of who but what. In this case, economics.

4. It has taken this long because until now people were restrained by ethical considerations prevalent within the community. However, a certain moral flexibility seems to be developing now out of frustration. This can only end badly.

Re:So what's YOUR solution?

[Cajun+Hell]

The real question is, who's protecting these scumbags and why? Why has it taken so long to do anything about them?

As long as people keep opting-in to running botnet nodes, we'll have this problem. Don't like it? Stop participating in the botnet.

Re:So what's YOUR solution?

1. We guessed that.

2. I would not

3. Not any longer

4.This is not the first ISP to be cut off for spamming.

5. you have no point.

6. When you finish your training, god knowa you might have clue.

Re:So what's YOUR solution?

[st0rmshad0w]

1. I don't have a solution, I'm just considering the ethical aspect.

What is unethical about pointing out MASSIVE violation of terms of service by an ISP to their provider? The ISP has a duty to obey the terms they agreed to, and if it can't or won't it gets cut off. Just like you or I would get cut off by our upstream for violating whatever agreement we may have in place.

2. I'd rather deal with spam, malware, and con artists clogging the internet than vigilantes blowing holes in it.

Considering the sheer cost of cleaning up this bullshit, I doubt many share the same opinion. And the intenet was designed to route around holes in it. Theoretically at least.

3. As to who's protecting them -- it's not a question of who but what. In this case, economics.

No. There are definately quite a few "who"s in this mix. Like the greedy bastards who look the other way while their customers commit felonies. They are accessories to the crimes of their clients if they don't cut them off for their criminal bullshit.

4. It has taken this long because until now people were restrained by ethical considerations prevalent within the community. However, a certain moral flexibility seems to be developing now out of frustration. This can only end badly.

Are you kidding? People have been black-holed for decades on the internet for stuff like this.

WHERE IS THE ETHICAL ISSUE WITH TELLING A PROVIDER THAT THEIR CLIENTS ARE IN GROSS VIOLATION OF THEIR ACCEPTABLE USE POLICY????

Or worse.

Either they need to act on it when its pointed out or they will find themselves having to screen their traffic for content because of some cockamamy law passed because they were KNOWINGLY looking the other way while the sold space to kiddy-porn traders after numerous people pointed it out.

Re:So what's YOUR solution?

[rhizome]

"Girl" is not the only thing you're in training for, apparently. What are the ethical aspects of making scattershot assertions without citations or even replies to people who point out weaknesses in your argument?

Re:So what's YOUR solution?

[girlintraining]

> What is unethical about pointing out MASSIVE violation of terms of service by an ISP to their provider?

Nothing at all. The problem comes when the upstream provider violated their contract with the customers that may have been using the service in accordance with the TOS but lost their service due to being in the wrong place at the wrong time. Which, if you want to split hairs, is principally the fault of the provider and possibly to a lesser extent the person reporting the problem because they provided false information. I say possibly because I don't know what information was provided.

> Considering the sheer cost of cleaning up this bullshit, I doubt many share the same opinion. And the intenet was designed to route around holes in it. Theoretically at least.

I am glad, then, that the decision is not theirs to make. Besides, most people think they're above average drivers too...

> No. There are definately quite a few "who"s in this mix. Like the greedy bastards who look the other way while their customers commit felonies. They are accessories to the crimes of their clients if they don't cut them off for their criminal bullshit.

You can't say they shouldn't help RIAA enforce their copyright by booting you off your connection for P2P, then turn around and say they should police people for spam. They're common carriers; It means they're not responsible, nor should they be. If we start down this road, the internet as we know it ends.

> Are you kidding? People have been black-holed for decades on the internet for stuff like this.

Citation needed.

Look, the solution here is laws not vigilantism... Because the simple truth is no matter how good you are sooner or later you're going to fuck it up. The law ensures that when this happens, there's recourse. A vigilante will just disappear into the night with the words "I'm sorry" on his/her lips. And not only that, but the entire tone of your response rather underscores the need to get emotion out of this situation and the justice system is far better suited to this than your "Let's get a posse together and ride" solution.

Re:So what's YOUR solution?

[girlintraining]

> What are the ethical aspects of making scattershot assertions without citations or even replies to people who point out weaknesses in your argument?

I can't comment on that, but judging by this thread I'd say it's a very popular thing to do. I mean, even the "researchers" who did this made some pretty far-reaching assumptions in considering what actions to undertake. And considering this is a discussion on the ethics of something, citations are not strictly required... As to replies, I reply to those who I think make good points -- which as you can see, I've made over a dozen replies so far.

And about your quip ahead of the question... Kindly go to hell, jerk.

Re:So what's YOUR solution?

[DaveV1.0]

The problem comes when the upstream provider violated their contract with the customers

The upstream provider's customer was McColo, dumbshit. It was McColo is the one that had contracts with customers and it was McColo that broke the contracts by getting itself disconnected from it's ISPs. The people at fault are McColo's management and the spammers, malware hosters, and other evil, criminal fucks.

Look, the solution here is laws not vigilantism

The solution is to report bad behavior that violates Terms of Service, which is part of the contract between the parties in question. You know, that legal document that governs their relationship. It is part of those laws you are talking about.

Did it ever occur to your stupid ass that people fell back upon their recourse of reporting the offending provider to there provider? Oh wait, I forgot, you only care about recourse for the spammers and other assholes.

You are a serious dumb ass.

Re:So what's YOUR solution?

[georgewilliamherbert]

> Are you kidding? People have been black-holed for decades on the internet for stuff like this.

Citation needed.

Canter and Siegel were kicked off their ISPs in decently short order 14 years ago (1994) after starting to spam. See:
https://secure.wikimedia.org/wikipedia/en/wiki/Canter_and_siegel

Anyone familiar with the history of spamfighting will be able to point to numerous examples every year since then, of escalating size and complexity.

Look, the solution here is laws not vigilantism... Because the simple truth is no matter how good you are sooner or later you're going to fuck it up. The law ensures that when this happens, there's recourse. A vigilante will just disappear into the night with the words "I'm sorry" on his/her lips. And not only that, but the entire tone of your response rather underscores the need to get emotion out of this situation and the justice system is far better suited to this than your "Let's get a posse together and ride" solution.

Vigilantism is acting extrajudicially AND illegally as a community group to right a wrong or combat a criminal. It's an inappropriate model here - the response was entirely legal. It was done by people who, contrary to your assertion, were openly identified and stood and stand by their information.

If people were assassinating botnet operators or burning McColo datacenters down, THAT would be vigilantism. This is just community response.

Re:So what's YOUR solution?

[DaveV1.0]

1. No, you are not considering the ethical aspects. You dont' seem to have any concept of ethics or morals.

2. Vigilantes did not blow holes in the internet. That statement shows your complete lack of understanding of the internet. They reported abuse of service and violation of terms of service. And, the upstream providers exercised their legal rights.

3. It was McColo that was protecting the scammers and spammers. Ignorance is what protected McColo.

4. No, it has taken this long because no one brought McColo's activities to the attention of McColo's ISP. Once that happened, McColo was disconnected.

The only person showing moral flexibility around here is you. Your ignorance is the reason you think "This can only end badly".

Now, please, shut the fuck up.

Re:So what's YOUR solution?

[st0rmshad0w]

The problem comes when the upstream provider violated their contract with the customers

They haven't violated their contract to their customers, they violated their contract with thier upstream provider. Completely different things.

that may have been using the service in accordance with the TOS but lost their service due to being in the wrong place at the wrong time.

I can sympathize but if you want to be a customer of an ISP that behaves so poorly that its own providers tell it to go to hell than I can't have much sympathy. You do know that the offenders are limiting YOUR bandwidth too right?

Which, if you want to split hairs, is principally the fault of the provider and possibly to a lesser extent the person reporting the problem because they provided false information. I say possibly because I don't know what information was provided.

No, the fault is ENTIRELY that of the ISP failing to police its customers' behaviour. The upstream provider has ZERO blame for enforcing its terms of service, and the reporting party doesn't either. Everything done was entirely legal.

Reporting party: "Hey I've notice a crapton of SPAM, viruses and malware coming from your IP block"

Upstream provider: "Holy Crap! Yeah that is way outside acceptable use"

Upstream cuts of the offender for violating their agreement.

What's wrong with that?

I am glad, then, that the decision is not theirs to make. Besides, most people think they're above average drivers too...

Actually the decision IS mine to make in places where I manage the network. I have numerous blacklisted IP blocks of known hostile networks and SPAM/malware sites. I protect my clients at the level I am governing. Higher up the chain, other net admins will be doing the same whenever an ISP doesn't smack down its malicious users.

Incidently, infecting systems with botnet crap is a felony. Has been for years.

You can't say they shouldn't help RIAA enforce their copyright by booting you off your connection for P2P, then turn around and say they should police people for spam. They're common carriers; It means they're not responsible, nor should they be. If we start down this road, the internet as we know it ends.

1) I never mentioned P2P or any of that crap but if I violate my ISP's terms of use they are free to cut me off

2) ISPs are NOT common carriers, educate yourself

3) They ARE responsible insofar as their provider's acceptible use policy is concerned. Violate it and get cut off.

Citation needed.

Wow, how long HAVE you been on the internet anyway?

Look, the solution here is laws not vigilantism...

Law: Computer Fraud and Abuse Act (among others) makes infecting systems to be part of a botnet a felony. Also things like the CAN-SPAM Act have criminalized SPAM. There are laws, but getting anyone caught and prosecuted when the are sitting in the middle of the Ukraine is kindof difficult.

Because the simple truth is no matter how good you are sooner or later you're going to fuck it up.

Not if all you are doing is telling a provider to "look over there" and they check it out and only act on it if what you say true.

The law ensures that when this happens, there's recourse. A vigilante will just disappear into the night with the words "I'm sorry" on his/her lips. And not only that, but the entire tone of your response rather underscores the need to get emotion out of this situation and the justice system is far better suited to this than your "Let's get a posse together and ride" solution.

The law does no such thing when the perpetrators are outside its jurisdiction. And there are no vigilantes as everything was done within the bounds of the law. Your ignorance is astounding. The tone of my respons

Re:So what's YOUR solution?

[Achromatic1978]

What is unethical about pointing out MASSIVE violation of terms of service by an ISP to their provider? The ISP has a duty to obey the terms they agreed to, and if it can't or won't it gets cut off. Just like you or I would get cut off by our upstream for violating whatever agreement we may have in place.

It is not your ethical or moral duty to police a civil contract between two third parties, and if your actions cause a material loss to either party, even if they were in violation of their contract, they can turn around and sue you for damages for tortious interference. Have fun with that.

Re:So what's YOUR solution?

[st0rmshad0w]

Actually, its my PROFESSIONAL duty. Good luck suing me for pointing out that you are committing a felony to your provider. I have the feds computer crimes department on speed-dial.

If a shit-ton of malicious crap and SPAM/malware are coming into MY client's network (causing ME and MY CLIENTS a material loss), or if my client's systems have been infected with a botnet controlled from YOUR IP space(a felony), it is your responsibility to address that when I tell you about it. If you don't I'll talk to YOUR provider. Or would you rather I call the FBI and tell them you're systematically attacking my client?

I don't even have to be involved actually, I can just tell MY client's providers (some of which are backbone providers) what I see coming from YOUR network and they have entire departments to deal with that type of shit. So you can fight Level 3 and Verizon for all I care. Your customers are attacking their customers, they can cut you off just as easily.

Re:So what's YOUR solution?

[MeNeXT]

It's called contract law and you need to abide by it's terms. If the ISP was taken off-line without merit then legal recourse is available to recuperate any loss. TOS is part of a binding contract.

Now I'm up for publishing IP's of the botnets control centers so we can DoS them. Once your address is in one of these lists it just gets unbearable. Especially since there is no way to stop a spoofed add.

Re:So what's YOUR solution?

[_Sprocket_]

Look, the solution here is laws not vigilantism... Because the simple truth is no matter how good you are sooner or later you're going to fuck it up. The law ensures that when this happens, there's recourse. A vigilante will just disappear into the night with the words "I'm sorry" on his/her lips.

The problem is that you're confusing this with vigilantism. This wasn't a single vigilante passing judgment and then disappearing in to the night. These were individuals reporting the crime to the upstream host. The upstream host then took that evidence, reviewed it, and acted on it using a very legal mechanism - their contract with the ISP. Law is being upheld.

Re:So what's YOUR solution?

[WTF+Chuck]

It is not your ethical or moral duty to police a civil contract between two third parties, and if your actions cause a material loss to either party, even if they were in violation of their contract, they can turn around and sue you for damages for tortious interference.

Quite correct, but I am not excluded from pointing out possible violations because I am a third party either. As for my actions causing a material loss to either party, that would only happen if I were providing false information. That scenario could lead to many charges, none of them being "tortious interference". The only way I could be charged with tortious interference is if I do something to actually block the fulfillment of the contract, such as hack in to the alleged offenders machines and commit the TOS violation myself, or hack into the service provider and disconnect the alleged offender myself.

When an upstream provider receives a complaint about one of their clients, they can choose to ignore the complaint, or act upon it. If the provider acts on the complaint without first investigating whether the complaint is legitimate, then it is the provider at fault for breech of contract for not ensuring that there was a TOS violation before terminating the account for a TOS violation.

Re:So what's YOUR solution?

[Achromatic1978]

Not quite. Though grossly oversimplified, one of the issues discussed in the movie The Insider was tortious interference by CBS in "inducing" Dr Wigand to break his confidentiality contract with his employer. Ironically, the truer the statements, the greater the damage done. If he was lying, then there's alternative recourse in defamation, etc, but "truthiness" (sorry Stephen Colbert) has very little to do with tortious interference, but you providing information to a party in a contract to induce them to break a contract with another party is interference. That the contract can also be broken within the confines of its conditions is a separate matter (they can terminate service due to a TOS violation and there be no recourse between the parties - but the fact that you induced the termination of service opens you up to damages).

Re:So what's YOUR solution?

Your argument is totally off-base, and frankly your sense of morality is suspect. You keep throwing around the word "vigilante", which has nothing to do with this situation.

Consider another situation similar to this one, this is something that I did personally. There's a website called w3schools.com that hosts a bunch of beginner tutorials and references for web languages like HTML, Javascript, etc. It's a popular site, very high on search engine rankings etc, and it's run by a family from Norway. They post pretty obvious copyrights to their material.

Another user of the site found an obvious copy of the material on someone else's site and posted the URL in the w3schools forum. The fake site was hosted on the freehostia network. After looking over the site and reading through the terms of service for freehostia accounts to look for copyright clauses, I sent a couple emails to freehostia informing them that they had an account with a breach of the terms of service because it was an obvious copyright abuse. They agreed, and removed the account. Read all about it here:

http://w3schools.invisionzone.com/index.php?showtopic=20659

Is that your definition of "vigilante justice"? Because it's virtually the exact same thing that happened with the McColo network. If you think that it is somehow immoral or unethical to report people engaged in immoral or unethical behavior, then I think your sense of morality needs a little tuning.

Re:So what's YOUR solution?

>If people were assassinating botnet operators or burning McColo datacenters down,
>THAT would be vigilantism. This is just community response

That would be sweet!

Re:So what's YOUR solution?

[st0rmshad0w]

they can terminate service due to a TOS violation and there be no recourse between the parties - but the fact that you induced the termination of service opens you up to damages

How is that even possible? How can you be liable for presenting the exact same factual evidence to an ISP (for it to use in an internal fashion to address the issue) that you would present to a federal LEO (for it to pursue a criminal complaint against the offender), which would likely result in the exact same action once the ISP is made aware of the criminal investigation and the evidence.

So you can be held liable for actions that a party takes in response to you filing a legitimate complaint?

The law is seriously bizarre.

The solution is anarchy

The solution is to have a free for all, whereby vaccine writers are free to play by the same rules as virus writers.

One way to knock out the botnet would be a write a viral vaccine that infects the PC, knocks out the bot, plugs all known holes then attempts to infect all other PCs with itself. If it hasn't managed to get a successful infection after a period of time it takes that as an indication that it has been successful and it eliminates itself from its host.

Re:The solution is anarchy

[pitchpipe]

The solution is to have a free for all, whereby vaccine writers are free to play by the same rules as virus writers.

Can I test out the "solutions" first on the network you manage.

Re:The solution is anarchy

[DarkOx]

Do you remember just a few years ago the "MS Blaster" fiasco?

Do you remember "Welchia" I think it was called. It was just that it removed Blaster and then tried to spread itself the same way. In the end Welchia was a troublesome for network operators as "MS Blaster" itself. It was terrible.

Re:The solution is anarchy

[TheSpoom]

Yeah, I remember doing tech support for systems infected by both. What I don't get about Welchia is that the worm had the same problems as Blaster in that it would cause the RPC service to die, forcing a reboot of the machine repeatedly. You'd think they would have caught that before they sent it out...

Re:Epic Fail

[Falconhell]

Yes, yes you did epic fail.

"legitimate commercial enterprise"

If you are so keen on this "enterprise", post your email address and we will see how you feel about getting a thousand spam emails a day.

Frankly, it is time that Russia was pulled into line on this matter. An international incident might be just the thing to do this.

If you allow your PC to be infected by trojans, your privacy just went out the door anyway. Why would you care if researchers looked at your stuff when criminals already can????

Re:Let's turn TeliaSonera into a smoking crater ne

they're down! forget slashdotted, they're internetted!

ITT: Spammers BAAAAAWWWWING

[slyborg]

I assume this is a troll. The takedown was hardcore and more or less triple-damage win. Props to the guy from the Post are what is in order.

It's not the data, it's the cooperation.

[khasim]

This pretty much shows how certain ISP's help spammers. Particularly since they did not IMMEDIATELY bring up their backup link. Instead they waited until the weekend.

Re:It's not the data, it's the cooperation.

[xenobyte]

Well, the issue is that as long as the spam doesn't originate from the ISP or the spamvertised sites isn't hosted on the ISP, it can be really hard in certain countries to get rid of a malicious customer.

Sure, in this case there's no doubt the ISP was very much a part of the evil operation, but some ISPs find themselves between a rock and a hard place if their customers only host nameservers or what turns out to be C&C servers because they might not be able to terminate the hosting contract prematurely due to the activities not being illegal according to local law, nor is it listed in the law regarding spamming and similar rogue advertising. And it might be that you cannot enforce a contract termination based on perceived damage unless some law is broken.

I've worked at such an ISP and we found ourselves unable to get rid of a client (a subsidiary of a corporation that had another porn spamming subsidiary) who only hosted nameservers on our networks. As a nameserver is pretty innocent in itself, we could not terminate them. The only damage they were causing was the blacklisting provided by the vigilantes in SPEWS and that just wasn't enough for an early termination.

Maybe is good news

[gmuslera]

If most of internet spam is sent by very few people, and all this movement of information enables to track them better and maybe, finally, get them, the people source of most spam could end offline (and with a bit of luck, in guantanamo/siberia/wherever waterboarded 24/7)

Re:Let's turn TeliaSonera into a smoking crater ne

[Goaway]

Er, you can't communicate with a botnet with a harddrive, you know.

Re:Let's turn TeliaSonera into a smoking crater ne

[Dachannien]

Damn you! No, I didn't click on the link, but now thanks to you, I've got beans up my nose.

Re:Let's turn TeliaSonera into a smoking crater ne

[Cyberax]

Nuke them from orbit. It's the only way to be sure.

Sadly, it's true :(

Re:Let's turn TeliaSonera into a smoking crater ne

[aproposofwhat]

Apparently TeliaSonera shut down the link as soon as they realised what was happening - the contract was through a proxy company.

See the Register article for more details.

So we can't really blame TeliaSonera.

Why the spamming bastards didn't just courier a hard drive to Russia instead is a mystery, though.

Re:Let's turn TeliaSonera into a smoking crater ne

[moderatorrater]

During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia

The massive amounts of data they were talking about were being pushed to other servers, so they could have done that work with a hard drive. However, it also says that the botnet was updated. Assuming that the botnet couldn't have been updated from those same russian servers, they could have done any number of things, including any number of regular internet connections to buildings nearby or satellite/cellular internet service.

I doubt, however, that the data center was a single point of failure for them. The idea that the malware builders can build massive botnets with distributed architecture that elude understanding by security researchers, but they can't figure out how to make it so that they can run it from a backup data center, seems unlikely to me.

Shipping jobs overseas

It's not like it's going to really stop spam, child pornography, or identity theft.

All that bandwidth used by spam keeps a network admin employed somewhere, and keeps the justice department busy prosecuting people under the can spam act.

Russian C&C is Actually Less Desirable

[CodeBuster]

The use of a server located in Russia for C&C of the botnet is probably not as desirable as a US based host because of the large numbers of companies and ISPs which either black hole China and Russia entirely or subject traffic coming from and going to those parts of the Internet to much greater firewall scrutiny. I can see why they wanted the US server hosting in the first place while keeping the Russian datacenter as the backup plan.

Re:Russian C&C is Actually Less Desirable

[Surreal+Puppet]

Yes, but couldn't you just have two layers of C&C? Using socks proxies on bots running on home computers spread out over tier-3 ISP IP pools that doesn't blacklist "bullet proof" countries, combined with a few cheap colocated hosts inside US borders for data storage, communicating back to hosts on safe territory is the method i would use if i wanted to use the simplest, cheapest and most reliable method, and wasn't the sharpest knife in the drawer. The really sharp solution would be to have a storm-like P2P botnet architecture with irregularly steganographed and encrypted connections back to C&C servers on safe ground (Eg, even if the "mothership connections" where discovered, they would look like they where coming from disparate botnets.) I think such a system could be maintained for the foreseeable future, as long as you keep adding new steganographic methods to the pool.

Re:Let's turn TeliaSonera into a smoking crater ne

[Nimey]

The article said they had to update the command & control data for the botnets. The 'nets won't let just any computer control them, and this Russian server probably wasn't on the master list, so they needed to get back online with their old DNS hostname first.

shi7!

took Precedence

C&C server blocked by ISPs?

[LackThereof]

It appears that the new C&C server listed in the article, 62.176.17.200, has been blackholed by my ISP's routers. I'm on a Qwest "business/office" ADSL line. Any similar reports from other ISP's?

Or is it actually down?

If most American ISPs are blocking it, Rustock is dead, or at least in a coma. TFA implied that the IP address was being distributed to the bot, not the domain name.

Re:C&C server blocked by ISPs?

[gad_zuki!]

The traceroute shows the connection dying before it even hits the trans continental cable. If it was down it would at least get to russia. I think ISPs are blocking it, and rightly so. AT&T DSL btw.

Re:C&C server blocked by ISPs?

Blackholed at a US university and several other home/business connections. At least, for the time being, the russian server is being filtered out by many ISPs.

Re:C&C server blocked by ISPs?

[linuxwebadmin]

traceroute to 62.176.17.200 (62.176.17.200), 30 hops max, 60 byte packets 1 _ 0.469 ms 0.323 ms 0.211 ms 2 _ 0.673 ms 0.801 ms 0.744 ms 3 10.134.0.1 (10.134.0.1) 20.591 ms 25.241 ms 29.104 ms 4 vistaggc01-gex0916.sd.sd.cox.net (68.6.11.70) 36.988 ms 36.993 ms 37.822 ms 5 fed1sysc01-gex0903.sd.sd.cox.net (68.6.8.108) 39.141 ms 43.944 ms 43.929 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *

Re:C&C server blocked by ISPs?

[CoolQ]

Dies for me at my ISP's border router; I've never seen a traceroute die so fast. Only 2 hops before it goes dead. It makes me think that the global BGP tables are blackholing the subnet.

I checked a bunch of BGP looking glasses and they all report "Network not in table", as in there are no global routes for that IP address.

--Quentin

Re:C&C server blocked by ISPs?

[Atario]

Looks like lots of places are blocking them.

Re:C&C server blocked by ISPs?

It appears that the new C&C server listed in the article, 62.176.17.200, has been blackholed by my ISP's routers. I'm on a Qwest "business/office" ADSL line. Any similar reports from other ISP's?

Looks like it is blocked here too (TeliaSonera Sweden)

Re:C&C server blocked by ISPs?

Its blackholed from access by Penn State's network. A traceroute shows that it gets stopped before it leaves the Penn State network

Re:C&C server blocked by ISPs?

[iocc]

It simply doesnt exist in the global routing table right now.

# sh ip b 62.176.17.200
% Network not in table
# sh ip b 62.176.0.0/19
% Network not in table

Reinventing government?

[Ungrounded+Lightning]

In order to govern the net (and to coin another useless buzzword) we need Government 2.0.

Reinventing government? Let me guess...

  1) Without that pesky Bill of Rights.

  2) Online (where malware authors can take it over).

Thanks but no thanks.

Re:Reinventing government?

Because the Bill of Rights is so healthy right now, with Dick Cheney guarding it for us, right?

And online, in an open transparent structure, is so much more vulnerable than some smoke-filled room where lobbyists make all the decisions for us?

Which Federal Wirefraud Law Did McColo Just Break?

[cmholm]

So, the dickheads at McColo went out of their way to reopen a link, just in time for their Russian Mafia buddies to rehost their shit. Thinking of research topics off the top of my head, I wonder if I could match the actions at McColo to 1) Wire Fraud, or 2) RICO. A conviction on either leads one straight to a Federal Pound-You-In-The-Ass prison, and no parole.

Re:Let's turn TeliaSonera into a smoking crater ne

[LackThereof]

I think you are exactly right.

The delay in bringing up the backup server was probably because they were waiting for the old IP to get flushed out of DNS server caches. They probably knew it wasn't going to last long before they got shut off, so they wanted to make sure every bot could find them while they were up.

Re:Let's turn TeliaSonera into a smoking crater ne

TeliaSonera I seem to recall is one of the ISPs used by RapidShare. What might be the repercussions if someone goes after TeliaSonera?

Re:Which Federal Wirefraud Law Did McColo Just Bre

[cmholm]

I realize that there are others who are already more than knowledgeable about McColo. I just wanted to add an observation from a look at McColo's "about" page archived on the wayback machine: the site designer links back to a Russian domain, and the corporate address is a drop box in Delaware. It wouldn't surprise me if the only US-based "employees" were a handful of independent contractors swapping equipment out at the San Jose data center.

Is SPAM still that successful?

It's weird when I read stories like this, and makes me question the sucess rate of SPAM anymore. With end-user products seemingly getting a little better each time at filtering, along with pretty damn good filters in products like Gmail, and corporations usually ponying up some big bucks for a good filtering service (e.g. Messagelabs), it makes you wonder who's still successful at the SPAM game?

And yes, for the record, I'm strictly referring to SPAM here. Botnets controlling spyware/malware I'm certain are still VERY sucessful, which still sucks for the masses.

I honestly can't remember the last time I got a SPAM message in any Inbox. Definitely a refreshing change from back in the day when I used to receive more spam to my personal account than 100+ mailboxes combined at work...Am I alone here in my SPAM-free world?

Re:Is SPAM still that successful?

SPAM (all caps) is the trademarked name of a meat product by Hormel Foods. Now, if you're talking about unsolicited bulk email, that's Spam or spam.

Re:Is SPAM still that successful?

[the_womble]

Quite right, but why should I use all caps for a name? Is SPAM an abbreviation for something? No its a name, and is should be Spam, and bulk email spam (unless it is the first word in a sentence).

I hate names with stupid capitalisation, random punctuation in the middle of a name, etc. As for weirdness like C# and TeX....

A better solution is available

[Patrick+May]

Nuke the entire site from orbit. It's the only way to be sure.

Re:A better solution is available

You mean Russia?

We're already working on it ;)

Not vigilantism

[SethJohnson]

2. I'd rather deal with spam, malware, and con artists clogging the internet than vigilantes blowing holes in it.

Girlintraining,

I don't mean to insult you, but you are commenting from a position of ignorance on this topic. There was no vigilantism here. Illegal activity was taking place that also violated contracts between corporations. Third-party complainants contacted both corporations to complain of the illegal activity and contract violations. The corporations chose to dissolve their contractual relationship. Nobody was hurt as a result of the complaints that were levied.

If you do understand this topic, and you are aware of specific innocent customers that were harmed by the upstream providers terminating service to McColo, then you should easily be able to provide a Whois reference for one of these innocent customers.

Seth

Shh, can you hear that strange noise?

[hack++slash]

That's the sound of rejoicing from all the people who make their living from selling anti spyware/malware/spam software/hardware...

(I was going to write "solutions" instead of software/hardware but they haven't actually solved anything, people are still and will forever be infected/bombarded)

Spam bots, Pirates, Global Warming

[tacocat]

OK, we have more pirates thanks to Somalia. But I don't think it's helping global warming as much as we had anticipated.

And now this...

It's pretty clear that the policies and practices that are being implemented around the world are totally insufficient to deal with the return or rise of the anarchists that have been around since Robin Hood, Blackbeard, and Ali Baba.

I hate to mention this but I'm thinking that some of these won't be solved by saying, "Please stop". We are reaching a tipping point between the notion of preemptive military strikes and politically based solutions.

Russia is not proving itself a very effective government and actually a festering zone for illegal activities. Can't we just launch a DDOS against .ru and be done with it? I'm pretty sure the rest of the world outnumbers those jerks.

Of course the governments can claim no involvement of this activity but extend a willingness to discuss how to resolve a DDOS on .ru in a peaceful manner.

Similarly, this political/legal gamesmanship around Somalia is a joke. I see no reason why a nation cannot exercise any means necessary to protect their own shipping, or others with there permission.

It's a joke. And the mob, gangstas, and terrorists will take all of this to their fullest advantage.

So how hard would it really be to DDOS a nation if brought on in a multi-national deployment?

Re:Spam bots, Pirates, Global Warming

[Electric+Eye]

I absolutely agree with you. Frankly, there is very little, if any, legitimate traffic coming out of Russia. I think most ISPs should unilaterally cut off any communications from any IP from Russia. And part of me wants to extend that block to China as well.

Re:Let's turn TeliaSonera into a smoking crater ne

[petermgreen]

teliasonera are huge (according to wikipedia they are transit free but with paid peering, what I tend to reffer to as a wannabe tier 1 ) and afaict they pulled the plug on this as soon as they worked out it was mccolo on the other end. I very much doubt there will be any serious repercussions for them.

Re:Let's turn TeliaSonera into a smoking crater ne

This is almost too stupid a post to bother replying to, so I'll do it anonymoosely

Duh you connect the drive to the new server and then connect to the botnet. Asshats abound here don't they.

Why was this allowed to happen?!

[erroneus]

How did they get back online? Even if it was for just a short time, being able to re-activate their botnet this way?

I am rather "done" with the question about whether or not it is immoral to go vigilante on their asses. It is immoral to let things go on without doing anything about it and so you're damned if you do and damned if you don't... but if you do, at least a problem will have been fought and maybe some useful difference made.

Re:Why was this allowed to happen?!

I am rather "done" with the question about whether or not it is immoral to go vigilante on their asses. It is immoral to let things go on without doing anything about it and so you're damned if you do and damned if you don't.

So stop talking and do something about it already or STFU.

Re:Why was this allowed to happen?!

[gujo-odori]

Someone who works at Telia told me this happened because McColo had had a long-standing backup connectivity contract with Telia, and McColo activated the backup provision on a Saturday afternoon on the belief, it is surmised, that anybody who could do anything about it would not be working weekends and they'd be safe until Monday. Wrong. As soon as the routes appeared, contacts at Telia were alerted and they very quickly escalated it to senior management, who returned a verdict to disconnect them. Before this happened, Telia was unaware of who McColo was, but the found out in a hurry and took decisive action.

As far as anyone claiming there was a moral problem goes, they're on crack. The moral problem was in GBLX and HE knowing full well for a very long time what McColo was and doing nothing until the whistle was blown on them by a major media outlet was the moral problem. Taking action to disconnect McColo under their terms of service was neither immoral nor vigilantism. It was an open and shut case of enforcing long-ignored terms of a contract.

As far as vigilantism in general goes, it is most commonly seen when the normal channels are ineffective, so it would have been warranted in the McColo case (but to reiterate, cutting them off for TOS violations is not vigilantism), and IMO the only thing wrong with actual vigilante action is that it tends to suffer from an accuracy problem. As long as the recipient of vigilante justice is the actual perp, it doesn't bother me much. Vigilante justice is still justice.

From Orbit!

Nuke them from orbit...it's the only way to be sure.

Yep, Verizon too.

[dreamchaser]

Tracing route to 62.176.17.200 over a maximum of 30 hops

    1 1 ms 1 ms 1 ms x.x.x.x
    2 4 ms 4 ms 4 ms x.x.x.x [x.x.x.x]

    3 P2-2.LCR-02.PITBPA.verizon-gni.net [130.81.32.202] reports: Destination host unreachable.

Re:Yep, Verizon too.

[fnj]

Comcast has given them the finger too. Yay.

I know....

[jnnnnn]

Let's block Russia!

Re:Let's turn TeliaSonera into a smoking crater ne

[adolf]

If it's DNS hostnames you're worried about, I've got some ocean-front property in in-addr.arpa to sell you . . .

ISPs should let customers control ports a la carte

[davidwr]

If ISPs enabled customers to block incoming and outgoing traffic at the ISP level on a per-port, time-of-day, per-authentication-token, or other basis, botnets would be greatly weakened.

If I, as a customer, say "allow port 80 and 443 outbound 24x7, IRC ports in and out 4PM-1AM and 6AM-8AM M-F + weekends, 25 only within the ISP's Walled Garden, ftp main 24x7 ftp data only when ftp main active, all other ports blocked 24x7" then no matter what virus gets on my computer, it can't send through port 25 to anywhere but your server and it can't connect to IRC bot-rooms while I'm at work or in the wee hours of the morning.

Now, for unsophisticated users, the ISPs would have to have a "wizard" that with the right password opened ports based on what applications you had installed and what applications you installed in the future. This wizard would likely only be created for "popular" OSes typically run by non-techies.

The "authentication token" could be per-machine, per-user, or per-application, but these would require some level of deep packet inspection and custom client software on either the computer or the LAN router.

And so...

[TFGeditor]

Killing a spam/malware friendly site or ISP is worth the collateral damage, IMO.

Anyone hosting with a spammer-friendly ISP should know better.

Meanwhile, my mail server firewalls "the world" against all connections from sources with whom we have no legitimate business. Cuts spam by 95 percent or better.

Flame on, those with Utopian delusions who do not get it.

McColo isn't a real ISP

[Animats]

McColo doesn't seem to have been a real ISP. Or even a real company. They don't have a valid corporate registration in California or New Jersey. They were apparently a front for the spam operation, buying services from Hurricane Electric.

Their web site was designed by Vane, in Russia. They still have some connection to McColo. Go to the Vane site (preferably not using IE on Windows) and look at the icons of the various companies with which they are affiliated. Go to the row of vertical bars at the center right, second row. Mouse over the blank area just above the bars. You'll get some Cyrillic with "McColo" in Latin text. Click on the hidden link. This will take you to an animation which brings up an image of the McColo site. Items within that animation are clickable. A bit of work will get you to the number of McColo's "sales manager". But there's no way to order hosting on line; they were never really selling ordinary hosting services.

Re:McColo isn't a real ISP

This will take you to an animation which brings up an image of the McColo site. Items within that animation are clickable.

It's not an animation but an image gallery (apparently screenshots of McColo webpages), and items in the images are not clickable. You can only go forward and backward in the gallery. As I understand it they're citing McColo as a reference because they did artwork for them.

Re:McColo isn't a real ISP

For what it is worth, here is the number 1 914 455 5598.
Which is of course the contact number they had on their who is

Re:Let's turn TeliaSonera into a smoking crater ne

Duh you connect the drive to the new server and then connect to the botnet. Asshats abound here don't they.

They don't connect to the botnet, the botnet connects to them. That's why they needed McColo back up, so that the bots could get new instructions on where to look. And oh yeah I almost forgot: Duh.

Think of the poor henchmen...

... who is now sitting at home, unemployed. He still remembers the time when his boss, Guri Orlovsky, called him from Russia: "ah my good friend! I will send you caviar and vodka for your vork ! Now change the harddrive !"
It was such a happy time for him... Now he no longer has this job...
Won't somebody think of the henchmen!

Sniff...

...

not really

Re:Let's turn TeliaSonera into a smoking crater ne

How would that be any better than using a new server, since TeliaSonera would give them a different IP address then they used to have?

Profit!

[KlausBreuer]

Hey, here's an ideal way of making a profit on these people: The War On Piracy!
Bomb them! Send the army there! Spend trillions of dollars! ...and this time, actually have the support of the public for it!

Re:Let's turn TeliaSonera into a smoking crater ne

The massive amounts of data they were talking about were being pushed to other servers, so they could have done that work with a hard drive.

You said "servers", plural, so you should have also said "hard drives", plural.

Doing the same job with a hard drive might've taken a really long time, worn out a ton of philips screwdrivers, and required physical access to a lot of places where physical access is unauthorized.

Spamhaus DROP list

[MadMidnightBomber]

Spamhaus Don't Route or Peer

abilena.podolsk-mo.ru isn't resolving for me right now, but DROP list is worth using.

Re:Let's turn TeliaSonera into a smoking crater ne

[Goaway]

ISPs at that level don't really work like your home DHCP setup, you know. They probably own their own IP blocks, and can route them through whatever provider they choose.

So make it last

[hesaigo999ca]

Make it last by trying to shut down the server to which we have the IP adress resolved to that server. Come on people it's not rocket science? Just keep doing what you did the first time, until they give up.

From Russia With Love

[GlassHammer]

Yes its fun to blame the Russians but don't forget we have U.S. carriers that help facilitate them (I am looking at you RETN and your connections in Los Angeles) Even more entertaining then the gifts we recieve from Russia and the delivery system propped up by U.S. companies is the shell game that is played with the networks responsible. Forget the concept of a multiheaded monster, it is all heads and no body(the alternative to that analogy is pretty gross).

Re:Let's turn TeliaSonera into a smoking crater ne

[DarthJohn]

Great... you made me crash Wikipedia.

5 times increase in spam

[mzs]

And this morning I noticed a 5 fold increase in spam here, drat!

Re:ISPs should let customers control ports a la ca

[darkfire5252]

If I, as a customer, say "allow port 80 and 443 outbound 24x7, IRC ports in and out 4PM-1AM and 6AM-8AM M-F + weekends, 25 only within the ISP's Walled Garden, ftp main 24x7 ftp data only when ftp main active, all other ports blocked 24x7" then no matter what virus gets on my computer, it can't send through port 25 to anywhere but your server and it can't connect to IRC bot-rooms while I'm at work or in the wee hours of the morning.

It can't connect to the bot-room IRC server? Sure it can; if you're going to allow port 80 outbound 24x7, I'm going to run my C&C server on port 80. Simple as that. For bonus points, I'll do it on port 443 and use encrypted traffic, so that the ISP couldn't tell that traffic from legit HTTPS traffic.

Re:ISPs should let customers control ports a la ca

[davidwr]

I was assuming the bot-room would be using a "regular" IRC network, not one that could easily be blacklisted by an ISP. Is your ISP more likely to blacklist known.dangerous.machine or irc.majorircnetwork.net?

Yes, if the adversary controls the destination machine and it is under the radar of those who control ISP-level blacklisting, then it can disguise itself as routine traffic quite easily.