The McColo Effect: One Year Later

One year ago today email administrators were astonished to notice the amount of spam hitting their mail servers had plunged precipitously. Email volumes dropped off as much as 60 percent to 70 percent, and the reason wasn’t immediately obvious to anyone except for the folks who knew that McColo, a major spam-hosting ISP had been taken offline. Three of the largest spam-sending botnets at the time–Rustock, Srizbi, and Mega-D–had command and control machines hosted at McColo and were drastically affected. Mega-D’s volume dropped by more than 95 percent and Srizbi volumes dropped by more than 80 percent.

However, only days after McColo was taken offline, it was reconnected for a brief period–about 12 hours–by its uplink provider, giving just enough time for the Rustock botnet owners to recommunicate with their infected machines and point the command and control centers to other service providers. Rustock quickly regained its status as a top spam distributor. The Mega-D botnet owners also bounced back until it was shut down just this past week. Srizbi, which once accounted for more than 50 percent of spam volume, never recovered and is no longer a factor in today’s spam wars.

What has happened since McColo was shut down? Did spam volumes ever recover from the loss of three of the largest spam-sending botnets? Not only did spam volumes recover, unfortunately, but they recovered quickly and have greatly surpassed the volumes that we saw before McColo was taken offline.

You can see in the preceding graph where volumes stood and how they dropped off after McColo was cut off. However, the shutdown’s effect was brief and ultimately small. We have seen dramatic increases since then due to the relaunching of botnets such as Rustock as well as new botnets such as Bredo (which primarily sends fake nondelivery notifications spoofing package delivery services like FedEx, DHL, and UPS) and Waledac (the rebirth of the Storm botnet). Spam volumes have more than doubled since just February 2009, dwarfing several times over the decreases due to McColo’s demise.

The McColo closure as a single event remains significant, but when you compare it with the huge increases in volumes that we have seen since then–because of increased spoofs against social media sites through viruses like Koobface and spam continuing to be major factors in the successes of Rustock and Cutwail–the decrease now reflect only a momentary blip on the radar. 

Nonetheless, you should expect to see more of these types of takedowns as security researchers and research organizations continue to get involved, but you should also expect the overall effect of those shutdowns to be temporary. McColo has taught botnet owners a lesson. As a result botnet control centers have become more distributed, spanning many networks in many countries. Today taking down a big hosting provider would prove only a minor inconvenience as opposed to a major victory for security forces.