E-mailers, enjoy the early holiday gift: Spam volume has been cut by more than half.
That's because Internet providers pulled the plug on a Web hosting firm that allegedly was helping some of the world's most dastardly junk e-mail gangs.
The break won't last long. Garbage e-mail levels are already swelling again and are expected to return to normal in a matter of days.
The holidays are the busiest time of the year for spammers. Criminals are hustling to reconnect with potentially millions of virus-infected PCs that they once used to send spam.
Spam accounts for 90 percent of the world's e-mail.
Spam fighters scored big last week with the takedown of McColo Corp., a U.S.-based company apparently catering to bulk e-mailers.
But the battle against McColo also highlights the difficulty in squashing spam-sending operations. Slapping one down means it just pops up somewhere else.
“It is always a cat-and-mouse game, and we fully expect there will be a countermove,” said Doug Bowers, senior director of anti-abuse engineering for Symantec Corp.
Companies like McColo can be difficult to take down. Authorities have to prove company officials knew crimes were being committed through their servers. Web hosting companies often argue they don't monitor how customers use their services.
In this case, security researchers amassed evidence of wrongdoing on their own and confronted McColo's Internet providers to get the Web hosting service taken down.
McColo, which claims a Delaware mailing address and a data center in California's Silicon Valley, has been on security researchers' radars for more than a year. Many spam filters blocked messages that came through McColo's service.
The FBI declined to comment. It appears, however, that spam senders used McColo's service to send commands to large numbers of PCs they had hijacked.
Having that conduit is crucial. Spammers use networks of compromised computers – known as “botnets,” or networks of robot or zombie PCs – to amass enough computing power to send millions of messages a day.
The owners of the hijacked machines typically don't know their computers are secretly being used for that purpose. But criminals need a way to communicate with these computers – and a Web hosting company willing to look the other way.
McColo representatives didn't return calls for comment. McColo's Web site was no longer working.
A big problem in tracing the Web hosting companies responsible for enabling botnets is that the traffic from infected computers goes through different Internet providers, so the trail goes cold quickly.
The case against McColo was built by security researchers over time and detailed in a recent analysis by HostExploit, a group that tracks Internet threats. McColo was apparently a choke point for the spamming industry. Some of the world's biggest botnets operated through McColo's servers, according to security researchers.
Worldwide spam volume was about 153 billion e-mail messages on Nov. 11, the day McColo's Internet providers yanked its service. In two days, that dropped to 64 billion messages, according to IronPort, a security firm owned by Cisco Systems Inc.
It hasn't taken long for things to pick up again.
Security firm Sophos PLC reported Sunday that McColo was back online again after scoring service from a Swedish Internet provider. The service was withdrawn after the Internet provider heard from security researchers.
IronPort said Monday that spam volume was climbing and had reached an estimated 71 billion messages.
Just a few years ago, when spammers lost access to a botnet of infected PCs because their Internet connection was severed, the operation could be decapitated.
Now it's like cutting off an arm. The criminals can find another Internet provider, and they've changed their tactics to get things running again quickly.
One change in strategy includes seeding infected computers under their control with information about the location of other infected computers in that botnet.
That means they need only contact some of them after an outage to touch off a chain reaction to contact all the other infected computers and resurrect the entire army.
“This is a temporary reprieve,” said Nilesh Bhandari, a product manager with IronPort, “and we should enjoy it while we can.”