The McColo Story From the Spam and Botnet Perspective

On Thursday 11/11/2008, the US company McColo (AS26780) got cut off the Internet. McColo has been known for some doubtful activities - some say that McColo is responsible for as much as 75% of all spam sent on the Internet. These activities have stopped instantly as McColo got disconnected. I looked into this at our blacklist mirror. Since Thursday evening (2200 local time CET), the total number of requests on the blacklist are much lower than on the previous days. The traffic that is caused by the requests has - compared to the peaks - nearly halved.

DNSBL stats around 11/11/2008

After McColo (AS26780) “went” offline on 11/11/2008, the global spam volume has remained for about 10 days at about half as much as before. The low volume which even hit an annual minimum on 11/21/2008 was probably amplified by the fact that a lot of command and control channels of botnets were hosted at McColo.

On 11/15/2008, I realized that McColo suddenly reappeared for short periods of time through other Autonomous Systems, such as TeliaNet Global Network, AS 1299). At the bottom of this post, I have added some screenshots of bgplay that show the changes in the routing to McColo.

By the way, on 11/21/2008 one of the largest distributed denial of service attacks became public. The attackers targeted the German Hosting company InternetX with more than 40,000 bots and 800,000 packets/second causing a total bandwidth of 20 GBit/s during peaks. It is difficult to say whether the attack was done using McColo-controlled botnets. Interestingly, the number of requests to the blacklist once more decreased heavily on 11/21/2008 and the following day.

decrease in spam on 11/21/2008 due to a large DDoS

This might have been caused by the fact, the those bots while participating in the DDoS attack have stopped spamming.

Christian J. Dietrich
Christian J. Dietrich
Professor of Computer Security