Botnet Hunters Bypass Cops to Bring Down Spam Host

If you notice less spam in your e-mail inbox today, you can thank a coalition of cybersecurity researchers who have made it their mission to sew up spam-based "botnets" on the Web.

Earlier this week, HostExploit.com gave a Washington Post reporter information about a hosting company, McColo, that was allegedly providing command-and-control capabilities for a network of remote-controlled computers sending out spam for child pornography, fake pharmaceuticals and identity theft "phishing."

The reporter and HostExploit then notified McColo's Internet service providers, and those ISPs pulled the plug on McColo. The result: an estimated 40 percent dropoff in worldwide spam, "and some people, from their vantage points, saw an even greater drop than that," said Paul Ferguson, a Trend Micro (Nasdaq: TMIC) advanced threat researcher who contributed intelligence on McColo to HostExploit.

Not Vigilantes

The coalition had similar success in September with another hosting company, Atrivo. HostExploit's role is not to become vigilantes, Ferguson told the E-Commmerce Times. "We kind of hate that word," he said, because the group cooperates with law enforcement and notifies authorities when it finds evidence of illegal activities. But the intent is to allow the industry to police itself by notifiying ISPs who may not be aware of what's happening on their networks.

"We need to clean up our own backyard," Ferguson said.

Pulling the Rug Out

"I have the graph sheets right in front of me. It's like the volume (of spam) fell off a cliff," Matt Sergeant, senior anti-spam technologist with Message Labs, told the E-Commerce Times. "What I'm looking at is a graph from our Message Labs spam traps, which on a regular day gets about 60 million e-mails a day. This probably literally dropped to about 10 million a day." Sergeant's spam traps receive botnet-produced spam, so "it focuses strongly on the type of stuff that taking down McColo would reduce."

The victory will be short-lived, Ferguson admits. The botnet will end up in use by some other criminal entity, probably within days. "They're not going to go down silently. They're just like cockroaches, they'll scatter and pop up somewhere else," Ferguson said. "But by having their hand forced, we can see them and track them."

Here's what Ferguson and HostExploit know about the group using McColo: it is based in Eastern Europe and uses well-connected ISPs to either set up shell companies that appear to be legal Web hosting services, or trying to dupe legitimate hosting providers into running their content. "They've done this around the world."

The Relationship With Law Enforcement

HostExploit kept law enforcement apprised of its investigation and provided evidence at all times, Ferguson said. "We would have certainly complied with any request from law enforcement to not publicize the information if that request had been made." But that request never came, and HostExploit knows that it can take a lot longer for authorities to make their cases and get subpeonas, "especially when it's against persons unknown in Eastern Europe. We had to try a different tactic, to work within the community at large."

That tactic: Make ISPs aware when hosting companies suspected of illegal activities are in possible violation of their contractual agreements. "We certainly wanted to make sure that law enforcement could conduct their investigations, but at some point in time we agreed that the evidence had to be presented to the ISPs, because people are being victimized on a daily basis."

Sergeant agrees, and hopes that incidents like the McColo case serve as a wake-up call for authorities. "The anti-spam community knows a lot about the technical side of this and just got tired of waiting for law enforcement to take action. They've had to take matters into their own hands. If it were any other issue than just spam -- that was more of a political hot button, if you like -- then the law would be down there immediately, grabbing those (server) boxes."

Because of the profits involved in cybercrime, Ferguson knows that HostExploit won't have a lot of time to celebrate. "We're not disillusioned by the fact that this is a small victory. We'll enjoy it when we get them. The real thing is to hit these guys where it hurts -- to make the costs of doing business so high that they have to go somewhere else to do it. Taking money out of their pockets is what they understand."