The U.S. Federal Trade Commission’s recent takedown of an Internet service provider thought to be a safe haven for spammers has reduced spam volumes, but not dramatically.
According to e-mail security vendor Marshal8e6, total spam volume dropped by about 15 percent last week, as the FTC got a court order to pull the plug on a notorious ISP named Pricewert.
“We noticed quite a drop-off mid to late last week,” said Phil Hay, a threat analyst with Marshal8e6. “Things got pretty quiet compared to what we’d been seeing.”
The notable – though not dramatic – drop in spam levels parallel what happened after Intercage, was shut down in September last year.
The California-based Web hosting firm was accused of hosting a large number of sites engaging in phishing, malware-propagation, and other such activities.
At the time spam levels dropped by nearly 10 per cent, but quickly rebounded.
In the case of Pricewert (which also did business under the name 3FN) the axe came after the companies that provided it access to the Internet stopped doing business with it.
This happened after the FTC was granted a temporary restraining order Tuesday in the U.S. District Court for the Northern District of California.
According to the FTC, Pricewert was home to a host of illegal activity including the distribution of viruses, phishing, spyware and child pornography.
In a statement, the FTC said Pricewert “actively shielded its criminal clientele by either ignoring take-down requests issued by the on-line security community, or shifting its criminal elements to other Internet protocol addresses it controlled to evade detection.”
The ISP has said that the alleged criminal activity on its network was the result of bad customers and not its fault.
Pricewert lists its principal place of business as Belize City, Belize, but it operated out of a DataPipe data center in San Jose, California, the FTC said.
Pricewert was thought to be home to several servers used to control computers infected with the Cutwail Trojan program (also known as Pushdo).
Criminals had been using these infected machines to pump out spam messages, and right before the takedown the ISP was responsible for about 30 percent of the spam tracked by Marshal8e6.
Last November, various sources estimated that spam levels dropped between 40 and 70 per cent after servers belonging to notorious ISP, McColo, were taken off-line by its upstream providers. It took months for spam levels to rebound to the same volume.
McColo hosted the command and control systems for several major botnets, including Rustock, Srizbi, Dedler, Storm, Mega-D and Pushdo, according to the McColo – Cyber Crime USA report.
Each of these control an average of 600,000 computers which pump out a massive amount of spam. Security experts said in addition to spam, McColo was responsible for other nefarious activities, including the spread of child pornography.
As many predicted, however, the shutdown didn’t affect spam levels in the long or even medium term. One reason, is that with the latest cyber-criminal tools and techniques, these sites are able to move domains very rapidly, experts noted.
The results from the Pricewert takedown were not as spectacular as what was witnessed with McColo.
According to data from Cisco Systems, spam levels dropped about 30 percent at the end of last week but rebounded to normal levels on Sunday and Monday.
Security experts say that following the dramatic McColo incident, spammers may have put better backup systems in place to maintain control of their botnets of hacked computers.
“Obviously, this was not a McColo. They were ready for the takedown,” said Richard Cox, chief information officer with Spamhaus, an anti-spam group. “We’ve seen the backups pop up and have to get taken down and so on.”