Spam's Resurgence Continues in Aftermath of McColo Takedown

New stats show further increases in spam levels as botnets recover from hosting firm's removal

Spam levels dropped by almost half after rogue hosting firm McColo Corp. was taken offline by its upstream ISPs in November. But two months later, new botnets as well as some older ones are churning out increasing levels of spam messages.

"At the current rates, we'll be back at those pre-McColo takedown levels probably within the next three to five weeks," said Adam Swidler, senior product marketing manager at Google Inc.'s Postini messaging security unit.

Google said Monday that it has seen a 156 percent increase in spam from the low point after McColo went offline, the latest in a series of signs that spammers are regrouping.

San Jose-based McColo had hosted the command-and-control servers used to send spamming instructions to several botnets of compromised PCs, including ones known as Rustock, Srizbi, Mega-D, Pushdo/Cutwail and Gheg.

The McColo takedown for the most part killed off the Srizbi botnet, which was blamed for sending out a large proportion of spam globally. Rustock also was hit hard. But other botnets are picking up the slack.

Mega-D, also known as Ozdok, currently comprises at least 660,000 PCs and is sending an average of more than 26 million spam messages each minute, according to MessageLabs Ltd., a vendor of e-mail security services that was acquired by Symantec Corp. in November. That adds up to a total of about 38 billion messages per day.

According to new statistics released by MessageLabs today, 74.6 percent of all e-mail has been spam thus far this month, an increase of 4.9 percentage points over the December level.

"We've seen a steady increase over the last two months," said Paul Wood, an analyst at MessageLabs. He added that the Symantec unit's measurements of spam levels dropped to 58 percent of all e-mail after McColo was taken offline, then rose to 69.7 percent in December and has continued to increase this month.

Spammers are also changing tactics to ensure that their messages aren't blocked, said Richard Cox, CIO at The Spamhaus Project Ltd., an antispam organization that maintains a "block list" of end-user IP address ranges.

When a computer is infected with botnet code used to send out spam, a mail server is set up on the compromised PC, enabling it to pump out spam directly onto the Internet. But if Spamhaus or other antispam groups notice that a PC is being used for spamming, they can add it to their lists of systems to block.

But now, Cox said, spammers are using programs that detect a user's ISP and then route the spam messages through the service provider's systems, thus preventing the e-mails from being stopped when the source system is checked against block lists.

ISPs are "not really set up" to stop that kind of spamming abuse as of yet, Cox said. In addition, many don't have security staffers available on a constant basis to quickly take action when abuses are reported, he said, although he noted that spam could be blocked at a later point in the process through other detection methods.

Spamhaus is in the process of tracking which ISPs are currently hosting the command-and-control servers for some of the most flagrant botnets, Cox said, declining to release more information.

McColo was disconnected from the Internet after a reporter from The Washington Post provided the company's upstream ISPs with information about its alleged hosting of spammers and other cybercrooks. Although McColo was linked to Web sites that hosted child pornography, the information that led the ISPs to pull the plug on the company came not from law enforcement officials but from security researchers who had been tracking McColo for several months.

Robert McMillan of the IDG News Service contributed to this report.

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)