The war on spammers: The Washington Post wins the Battle of the Bulge


The volume of junk e-mail sent worldwide dropped drastically today after a Web hosting firm identified by the computer security community as a major host of organizations allegedy engaged in spam activity was taken offline, according to security firms that monitor spam distribution online.

While its gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for what could be called a full-scale cyber crime offensive, security experts have found that a relatively small firm at that location is home to servers that serve as a gateway for a significant portion of the world's junk e-mail.

The servers are operated by McColo Corp., which these experts say has emerged as a major U.S. hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via email.

But the company's web site was not accessible today, when two Internet providers cut off MoColo's connectivity to the Internet, security experts said. Immediately after McColo was unplugged, security companies charted a precipitous drop in spam volumes worldwide. E-mail security firm IronPort said spam levels fell by roughly 66 percent as of Tuesday evening., another spam watch dog, found a similar decline, from about 40 spam e-mails per second to around 10 per second. (See their graphic representation here.)

Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site. It's not clear what, if anything, U.S. law enforcement is doing about McColo's alleged involvement in the delivery of spam. An FBI spokesman declined to offer a comment for this story. The U.S. Secret Service could not be immediately reached for comment.

Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.

Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C.,. said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography.

In the case of child pornography, providers may be held criminally liable if they know about but do nothing to eliminate such content from their servers. For example, in 2001, BuffNET, a large regional service provider in Buffalo, N .Y., pleaded guilty to knowingly providing access to child pornography because the company failed to remove offending Web pages after being alerted to the material.

Rasch said liability in such cases generally hinges on whether the hosting provider is aware of or reasonably should have been aware of the infringing content.

"It's a little bit like a landlord who owns a building and sees people coming in and out of the apartment complex constantly at all hours and not suspecting their may be drug activity going on ," Rasch said. " There are certain things that raise red flags, such as the nature, volume, source and destination of the Internet traffic, that can and should raise red flags. And to have so many third parties looking at the volume and content from this Internet provider saying 'This is outrageous,' clearly the people doing the hosting should know that as well."

Global Crossing, a Bermuda-based company with U.S. operations in New Jersey, which was one of the two companies providing Internet connectivity to McColo, declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.

Benny Ng, director of marketing for Hurricane Electric, a Fremont, Calif., company that was the other major Internet provider for McColo, took a much stronger public stance, upon receiving information about this investigation from

We shut them down," Ng said. "We looked into it a bit, saw the size and scope of the problem [ was] reporting and said 'Holy cow!' Within the hour we had terminated all of our connections to them."

Tom notes:

Snark aside, this really is a pretty impressive accomplishment for a journalist. Brian Krebs' reporting led directly to a major spam colocation facility getting knocked offline by its upstream bandwidth providers. The result is reportedly a staggering 75% overnight drop in net-wide spam. That won't last, of course, but it's still awfully impressive. (Incidentally, this isn't the first time that the Post has caused trouble for botnet operators.)

Not to diminish Krebs' accomplishment, but the ease with which this was done -- a civilian making some phone calls, basically -- also hints at the lameness of our law enforcement agencies' online efforts. This was a U.S. company that was plainly harboring illegal activity. Krebs spoke to some security researchers who let him know about it, then he called the folks providing the malefactors' network connections. Those providers said "wow! you're right!" and pulled the plug. It took time, initiative, and cleverness (the threat of Krebs' bully pulpit helped, no doubt), but it didn't take any warrants or indictments.

Meanwhile, the people nominally charged with prosecuting these sorts of crimes are -- what? Posing as sexy teens in chatrooms?

This actually doesn't bother me particularly.  Killing spammers at the host level is the sort of thing that the private market is actually pretty good at; no upstream provider can afford to be known as the Official Webhost of the Spamming Community.  US law enforcement has a lot more procedural hurdles than the Washington Post, which may make them less efficient at fighting the sort of crime that sunlight pretty instantly disinfects.

And law enforcment is limited by the same problem that I imagine is about to face the security community:  they have no power in countries that don't care about stopping spam.  I'm sort of surprised that the webhosting was not only so concentrated, but located in the US.