Computerworld - The takedown last week of a rogue ISP by the U.S. Federal Trade Commission (FTC) slashed spam volumes by about 15% and reduced the spam spewed by a pair of big-name botnets by as much as to just 64%, a security firm said today.
"Spam dropped 15% across the board," said Bradley Anstis, director of technology strategy at Marshal8e6. "We especially noticed [the drop] over the weekend," he said, adding that the decline picked up steam slowly.
Last Tuesday, a federal court ordered the plug pulled on 3FN, an ISP operated by Belize-based Pricewert, after the FTC complained that the company hosts spam botnet command-and-control servers, as well as sites operated by child pornographers, identity thieves and other criminals.
Two botnets in particular were disrupted by the 3FN takedown, said Anstis: Pushdo and Mega-D. Before the court-ordered shut down of 3FN, Pushdo accounted for 26.1% of all spam tracked by Marshal8e6; as of last weekend, Pushdo's spam was just 13.7% of all junk mail, a drop of about 48%.
Mega-D, Anstis added, was hit even harder. That botnet's slice of the total spam pie plummeted from 12.3% prior to 3FN going dark to just 4.4% after, a decrease of 64%.
Joe Stewart, a noted botnet researcher and director of malware research at SecureWorks, agreed that the 3FN takedown hit Pushdo hardest. Stewart, who called Pushdo by its alternate moniker, Cutwail, said that the botnet was hurt, although not mortally wounded. "They don't have all of their eggs in one basket," said Stewart. "They definitely have command-and-control server redundancy, a lesson that McColo taught them."
McColo remains the botnet takedown success story. In November 2008, the California-based company's upstream providers severed the ISP's links to the Internet after security researchers and a Washington Post reporter passed along information that showed McColo was hosting command-and-control servers for some of the biggest spam-spewing and malware-spreading botnets.
After McColo went off the air, spam levels plunged dramatically, falling more than 40% nearly overnight. It took spammers months to restore their scam messages to pre-McColo levels.
Even if 3FN is no second McColo, its demise is important. "Cutwail is definitely one of the top three botnets," Stewart said, noting that he estimates its current size at around 400,000 compromised PCs, up dramatically from 175,000 last January.
Neither Stewart or Antis thought that the reduction in spam would be long-lived, however. "I don't think we'll see a significant long-term drop," said Stewart. "We might see a little bit of a decline. Or we may get lucky. Maybe [Cutwail's] command-and-control architecture will have to take more load on their redundant servers. That might bring down those other severs."
Antis was also pessimistic about the chance that the 3FN takedown would permanently push down spam volumes. After all, the McColo event hit botnets much harder, and spam eventually returned to pre-shuttering levels. But that doesn't mean this kind of anti-spam tactic should be discarded.
"Up until now, we've only blocked the bullet. What we're trying to do now is go after the gun," Antis said. "Every time we do this, we force them to go further underground, which makes it harder to get them the next time. But that's not a reason to stop doing this.
"We are getting a lot better at this," he said.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
