Spam levels dropped by almost half when rogue ISP (Internet service provider) McColo was taken offline in November. But some new botnets and even older ones are churning out more spam.
“At the current rates, we’ll be back at those pre-McColo takedown levels probably within the next three to five weeks,” said Adam Swidler, senior product marketing manager for Google Message Security, also known as Postini.
Google said Monday it has seen a 156 percent increase in spam since McColo went offline. McColo hosted the so-called command-and-control servers for botnets that are used to instruct PCs to send spam. The botnets included Rustock, Srizbi, Pushdo/Cutwail, Mega-D and Gheg.
McColo’s takedown for the most part killed off the Srizbi botnet, which was blamed for sending a large proportion of the world’s spam. But other botnets — which are essentially legions of hacked computers configured to send spam — are picking up the slack.
Mega-D, also known as Ozdok, is comprised of at least 660,000 PCs, according to MessageLabs, an e-mail security outfit now owned by Symantec. On average, PCs infected with Mega-D send out an astounding 589,402 messages per day, or around 409 per minute. All told, Mega-D is sending out 38 billion messages per day.
According to MessageLabs’ latest figures released Monday, 74.6 percent of all e-mail was spam this month, a 4.9 percent increase over December. Percentages of spam can vary by vendor depending on the pool of PCs using their services, which are used to collect statistics on spam.
“We’ve seen a steady increase over the last two months,” said Paul Wood, MessageLabs Intelligence Analyst with Symantec.
MessageLabs saw spam drop to around 58 percent of all e-mail when McColo went down, but rising to around 69 percent in December, Wood said.
Spammers are also changing their tactics to ensure their messages are not blocked, said Richard Cox, CIO for the antispam organization Spamhaus.
When a computer is infected with code used to send spam, it sets up a mail server on the PC, which proceeds to pump out spam directly onto the Internet. But if that computer is noticed sending spam, it is added to a block list of end-user IP (Internet Protocol) address ranges that shouldn’t be sending unauthenticated mail.
As an alternative, spammers are using programs that detect a person’s ISP and then route the mail through that ISP, which avoids it getting block when it is checked against the list, Cox said. The spam could be blocked, however, through other detection methods and analysis at a later point.
ISPs are “not really set up for” stopping that kind of abuse as of yet, Cox said. Further, many ISPs do not have security staff available constantly to act quickly when abuse is reported, he said.
Spamhaus is in the process of tracking which ISPs are hosting the command-and-control servers for some of the current flagrant botnets. Cox said he could not release more information.
McColo’s shutdown came after a report appeared in the Washington Post in combination with pressure from computer security analysts. Although McColo was linked to Web sites hosting child pornography, it was the community of researchers rather than law enforcement that caused McColo’s upstream providers to disconnect it from the Internet. Although McColo’s servers were in the U.S., the people believed to run the operation were likely overseas.
(Robert McMillan in San Francisco contributed to this report.)