We know that in the long term such actions might be nothing more than turning on the light -- the roaches scatter, but resume their business somewhere else. The point is to set an example which, if enough people follow after it, will continue to bring inconvenience and expense to the spammers no matter where they resume their operations.
But for the moment, let's celebrate the possibly temporary drop in spam.
This morning at the UAB Spam Data Mine our spam volumes are decreased from normal volumes by between 65% and 70%! What happened? And can we make any generalizations from today's events?
Very little, if any, spam is actually sent from McColo. Why the shutdown of the McColo network had such a profound impact on spam is that the "Command & Control" servers for many of the world's largest spam-sending botnets resided at McColo. This exercise has shown what we have been arguing all along at UAB -- it is important to find out not just what TYPE of spam is being sent, but HOW it is being sent. I have to say I am even more excited than before about identifying the points of control for some of these other spam-sending botnets.
By isolating the McColo network (the proper term is "de-peering"), the Criminal can no longer update the server where the Botnet machines received their commands. If the bots can't find their controller, they complete their current task, and sit idle, testing from time to time to see if they can reach their Command & Control server. Until they can, they won't have any more spam to send.
Let's look at the immediate impact today of the spam-sending roaches who have been inconvenienced by the McColo shutdown.
There are several places that provide real-time or near real-time graphs of the volume of spam they are seeing. Let's look at a few of them.
(click for current MxLogic Threat Level)
MxLogic.com has been showing spam to be between 83.5% and 91.1% of spam for the past week. Yesterday between 1:00 and 4:00 spam dropped from 85% of their monitored mail volume to 71.93%. Currently they are seeing spam as being 64.1% of their email traffic, which I believe would be the lowest point for the entire year.
(click for current SpamCop Statistics)
SpamCop.net normally sees as many as 30 or 40 spam messages per second, and looked at more than 14 million spam emails in the past week. Yesterday spam dropped abruptly from 30 messages per second to around 8 messages per second, and currently spam volumes have not yet crossed the 15 message per second mark for the entire day.
Brian Krebs has updated his earlier post with news that he is receiving feedback from all around the globe of people who are seeing less spam today because of the disconnection of McColo.
If you have numbers or charts showing your own spam drop, please share them with me. I'd love to share them with our readers here: gar@cis.uab.edu
0 comments:
Post a Comment