New tack cuts spam drastically

Menn is a Times staff writer.

Microsoft Corp. founder Bill Gates’ 2004 proclamation that the spam problem would be solved within two years has proved a bitter joke, with unsolicited messages doubling yearly to make up about 90% of mail transmitted on the Internet.

But this week, the tide turned. The number of unwanted, offensive and misleading e-mails sent across the globe plummeted by about two-thirds, to a mere 60 billion or so a day by Thursday, according to spam filtering companies.

The surprising respite had very little to do with the hundreds of millions of dollars that corporations and consumers have spent on anti-spam software or with the lawsuits and criminal cases brought against spammers in the last decade.


Instead, a ragtag band of researchers pulled off the unprecedented coup of drastically cutting the spam volume by adopting a new strategy: going after mainstream U.S. companies that can unknowingly help spammers, identity thieves and child porn purveyors by carrying their traffic on the Internet.

Few expect the relief to last. The major anti-virus firm Symantec Corp. predicted a return to the previous level by Christmas.

“Enjoy it while you can,” said Doug Bowers, the company’s senior director of anti-abuse engineering.

But the rare victory gives hope to those combating spam and other “malware” by showing that even as the bad guys get smarter, new strategies can make a difference.

“I’m not under the illusion that it’s going to last forever, but it’s nice to have these small victories,” said Paul Ferguson, an advanced threat researcher at software security company Trend Micro Inc. who contributed to the effort.

He and other analysts circulated a dense report Wednesday that blamed some companies for allowing spam to proliferate. Two big providers of Internet connections named in it -- Hurricane Electric Internet Services and Global Crossing Ltd. -- acted quickly to cut ties to the core subject of the document, a little-known Silicon Valley company called McColo Corp. that rents out servers to clients.

The researchers didn’t say whether McColo knowingly aided criminals, but they described some of the nefarious activities conducted on some websites the company hosted. Among other things, McColo reportedly enabled its customers to control vast networks of hijacked computers to send spam and take payments for fake anti-virus software.

“We got the report, and it looked pretty damning,” said Benny Ng, director of infrastructure at Hurricane Electric, of Fremont, Calif. “They were a client of ours, and we turned them off.”

Global Crossing did the same thing, security researchers said, though it didn’t respond to interview requests.

McColo didn’t answer messages seeking comment, and its website was off-line late Thursday. The company is now under FBI scrutiny, people familiar with the case said. An agency spokesman said the FBI wouldn’t confirm or deny an active investigation.

Among other things, the researchers alleged that McColo operated servers that were used to control armies of drone computers that sent spam and siphoned financial information from those computers’ owners, as well as servers used in offering child pornography.

The criminal groups that allegedly used McColo are largely believed to be based overseas. The groups now have to find other service providers.

“They’re just like cockroaches; they’ll scurry and set up operations other places,” Ferguson said. “We’re watching them do it, and maybe we’ll be able to identify who is pulling the strings in Eastern Europe.”

Several other contributors to the report, published at, were identified by first name only, and its editor uses a pseudonym, Jart Armin. Some researchers don’t want to cause controversy for their various corporate employers, while others fear physical harm from organized criminal groups behind child porn and fraudulent activity.

“The majority of the mainstream does care,” said Armin, who described himself as a financial services security consultant. “As the community, we need to continuously remind or shame the others into caring. When the industry takes a proactive stance, many of the problems can be resolved.”

Members of the band have different specialties, including tracing Internet traffic, analyzing how malicious software works and attributing spam to specific groups.

What they have in common is frustration -- at the enormous problems U.S. law enforcement has in pursuing suspects overseas; at the cloak of plausible deniability that allows bad operators to keep doing business with larger and more reputable firms; and at the inability of software to prevent consumers from being ripped off.

Unfortunately, the new approach would have been far more effective a few years ago. Server hosting companies and high-speed Internet providers are now easier to find around the world. And drone armies of computers can now be operated without having a single machine in charge, making them less vulnerable to a fatal beheading.

A September effort by Armin’s team focused on another hosting company, Atrivo/Intercage, and when major Internet carriers dropped that company, spam fell 10%. Some Atrivo/Intercage customers switched to McColo, the new report says, and the volume went back up. More reports are being prepared.

“People thought the first community-source effort was a fluke,” Ferguson said. “Now they see with McColo, it’s not a fluke. The community can police its own backyard and purge the badness.”