The McColo takedown: Online neighborhood watch, or Internet frontier justice?

McColo hosted a staggering variety of cybercrime activity, according to a group of researchers who said they had documented the company's practices for more than two years. In addition to hosting Web sites that spewed out huge quantities of spam, McColo is alleged to have hosted child pornography and counterfeit pharmaceutical sites, as well as command-and-control servers for some of the Internet's biggest botnets.

McColo was kicked offline after The Washington Post gave the company's upstream service providers information about its alleged hosting activities that the Post had gathered from the security researchers.

Benny Ng, director of infrastructure at Hurricane Electric, a Fremont, Calif.-based ISP that was one of McColo's service providers, said his company's decision to pull the plug was based solely on what it was given by the Post. According to Ng, the decision was straightforward because what McColo was doing was against Hurricane Electric's terms of service.

The fear of ending up on an Internet blacklist is also a powerful motivator in such cases. The blacklists maintained by StopBadware.org and other groups are used by many security vendors and corporate IT departments as part of their efforts to block spam and malware. As a result, ending up on the lists can have drastic consequences for an ISP or Web site.

Blacklist groups "basically have you over a barrel," said an executive at a hosting firm who asked not to be named. "So yes, we do pay attention to them."

However, in both the McColo and Intercage cases, the only role the security community played was to collect evidence showing that the two companies were hosting clients involved in all sorts of criminal activity, said Garth Bruen, founder of the antispam group KnujOn.

The decisions to pull the plug on the hosting firms were made solely by the upstream service providers, Bruen noted. "That was their choice to do it," he said. "We just gave them the information to help them make up their mind."

What's going on is "a little closer to vigilance than it is to vigilantism," StopBadware.org's Weinstein said in an interview. The security researchers who track alleged bad apples "are not inciting specific action against any company," he added. "What they're doing is publishing data and putting it in front of people who are making these decisions."

Often, though, it's hard to know for sure if a hosting company is complicit in the illegal activities taking place on its networks, or the extent of its culpability if it is aware of them, Weinstein acknowledged. "That's definitely a concern," he said. "But I don't think there's an easy answer to it."

Similar doubts were expressed even in the Post's story about the McColo takedown that the newspaper itself had helped trigger. According to the Post, the extent to which McColo could be held legally responsible for the activities of its hosted clients is unclear. There also is no evidence that McColo has ever been charged with any crimes, the newspaper reported.

Renesys' Zmijewski said he's surprised by the apparent lack of action on the part of U.S. law enforcement agencies to curb either McColo or Intercage. "It's not like these companies were in the middle of nowhere," he said, adding that many of the activities carried out on their systems were clearly illegal.

Invoking the rule of law would be preferable to having private groups initiate their own policing efforts, Zmijewski said. But he noted that with law enforcement not getting involved, it's no surprise that people have begun "taking matters into their own hands." For now, he said, "this perhaps is the only option."

This version of this story originally appeared in Computerworld's print edition.

Read more about security in Computerworld's Security Knowledge Center.