More unscrupulous ISP taken down

Date : December 05, 2008

On November 10th, the service provider "McColo" (www.mccolo.com) disappeared from the Internet when its upstream providers decided to cut its Internet connections. McColo is a US company that provides web hosting services. It is well known to unscrupulously host spammers and virus writers businesses. It is quite usual to found on McColo servers:

Spam and DDOS command and control servers (C&C)
Trojan and backdoors installed by virus on infected computer.

After the unplugging of McColo, several Spam fighting companies (including IronPort, SpamCop and Marshal) reported a major drop (35% to 50%) of the spam traffic seen on Internet. That action against McColo has apparently been triggered by Mark Kreb (an IT journalist who writes the "SecurityFix" blog at the Washington Post) who contacted McColo upstream providers to report them the rogue activities running on McColo servers. A detailed report about these activities was also released by www.hostexploit.com recently.

The shutdown of McColo is not the first event of that type:

At the end of September, the US Internet hosting company named "Atrivo" (also known as "Intercage") was also shutdown when network peers refused to route its network traffic. A significant drop in spam volume was also noticed. That shutdown occurred shortly after www.hostexploit.com published another detailed report about Atrivo rogue activities.
A year ago (in November 2007) the RBN (Russian Business Network) infrastructure in St Petersburg was also shutdown shortly after the publication of a report about its malicious activities.

On another hand, ICANN announced this month that it will terminate the accreditation given to EstDomains.com (an Estonian DNS registrar) because of the conviction for credit card fraud that the Estonian Court stated against EstDomains president. EstDomains is also notoriously known for registering a lot of the domain names used for spam, pharmaceutical trading on Internet or malicious software.

All these events show that the actions to stop unscrupulous ISP are becoming more frequent and produce significant results. Of course the crooks that use these ISP will move their business to other providers, and the drop in spam seen these days is for sure an ephemeral phenomenon. Anyway it is encouraging to see these results and it is proven now that unscrupulous ISP cannot do their business with complete impunity.

For more information

About the shutdown of McColo:
http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html
About the shutdown of Atrivo/Intercage:
http://asert.arbornetworks.com/2008/10/timeline-atrivointercage-depeering-dissolution/
http://asert.arbornetworks.com/2008/08/atrivointercage-called-out-as-us-rbn/
About the shutdown of RBN in St Petersburg (November 2007):
http://voices.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html
About the de-accreditation of EstDomain.com:
http://asert.arbornetworks.com/2008/10/estdomains-inc-whacked-by-icann/