Spam drop could boost Trojan attacks
The dramatic fall in spam traffic reported last week after alleged rogue ISP McColo Corp. was taken offline will only be a temporary reprieve and could actually generate a new wave of Trojans, experts have warned.
ISPs disagree on the global percentage drop in spam caused by the shuttering of San Jose-based McColo last Tuesday, with estimates given by those contacted by Techworld ranging from 50% to 80%. But even the lower figure is still an unprecedented fall in such a short space of time. It appears that even those who were aware of its use as a hosting port by malware purveyors hadn't guessed that a single ISP could be behind such a huge chunk of the world's spam.
"Our servers haven't been so relaxed for months," said Richard Cox, CIO of respected spam-fighting organisation, Spamhaus, ruefully. "This proves how important it is for the law to get at this sort of criminality."
Nevertheless, Cox doubted that the improvement would last long, and said the shutdown could actually lead to a rise in Trojan attacks as spammers using McColo to host botnet control infrastructures attempt to reconstitute their networks elsewhere in the coming weeks.
Paul Wood of MessageLabs said his company had also seen spam dipping sharply, which had hit specific troublesome botnets hard.
"We documented a massive drop in spam volume, to levels eight times less than typical volumes for a period of 12 hours, immediately following the takedown before spam levels began to rise again," he said.
"Further analysis of our metrics would suggest there has been an 80% drop from Mega-D and 60% from Srizbi; Rustock is down by 50% and Asprox down by 80%. Overall botnet traffic has reduced by approximately 30% in the 24 hours following the takedown."
In fact, McColo was the third ISP of significance to the criminal world to face disruption in a matter of weeks, he said, referring in particular to the de-peering of Intercage by ISPs in September.
How the botnet controllers react cancould regain control of compromised, 'zombie' PCs. If that proves hard, it is possible that new PCs would need to be hit with Trojans in order to start new botnets from scratch.
"It depends on the botnet in question and whether the bad IPs at McColo can be re-activated by another rogue ISP sooner or later," he said.
Adam O'Donnell of Cloudmark was less convinced that the reduction in spam volumes held much significance for the average user, especially business users sitting behind filtered connections.
"We have seen a drop in IP connection attempts that would have been dropped anyway," he said. "This is not like cleaning up a mess in the street," and the problem would return once the botnetters had found new hosters. "I give it two weeks," he said.
Despite the relentlessly upward movement in spam volumes over time, the occasional fall is not unheard of, with a single botnet going offline reportedly reducing traffic in early 2007.
According to Ed Rowley of recently-merged spam filtering outfit Marshal8e6, the McColo case could have a positive long-term effect in at least one way, that of convincing the authorities that attacking spam is now possible. In the past, the industry had been reluctant to shut down other ISPs, regardless of evidence of wrong-doing, but this might now change.
"There is a strong feeling that [closing problem ISPs] is not a bad thing," he said.
No responsibility can be taken for the content of external Internet sites.
Return to internet news headlines
View Internet News Archive