McColo explained

McColo
Industry:Web hosting service
Fate:Shutdown
Predecessors:-->
Successors:-->
Founded: in San Jose, California, United States
Founder:Nikolai "Kolya" McColo[1]
Hq Location City:San Jose, California
Hq Location Country:United States
Areas Served:-->
Owners:-->

McColo was a US-based web hosting service provider[2] that was, for a long time, the source of the majority of spam-sending activities for the entire world.[3] In late 2008, the company was shut down by two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.

History

McColo was formed by a 19-year-old Russian hacker and student named Nikolai. Nikolai's nickname was "Kolya McColo"; hence the name of the provider.[4]

Malware traffic

At the time of termination of its upstream service on November 11, 2008, it was estimated that McColo customers were responsible for a substantial proportion of all email spam then flowing[5] and subsequent reports claim a two-thirds or greater reduction in global spam volume.[6] This reduction had been sustained for some period after the takedown.[7] McColo was one of the leading players in the so-called "bulletproof hosting" market — ISPs that will allow servers to remain online regardless of complaints.

According to Ars Technica and other sources, upstream ISPs Global Crossing and Hurricane Electric terminated service when contacted by Brian Krebs and The Washington Post’s Security Fix blog,[8] [9] but multiple reports had been published by organisations including SecureWorks, FireEye and ThreatExpert, all naming McColo as the host for much of the world's botnet traffic.[10] [11] [12] [13] According to Joe Stewart, director of malware research for SecureWorks, the Mega-D, Srizbi, Pushdo, Rustock and Warezov botnets all hosted their master servers at McColo; numerous complaints had been made but McColo simply moved offending servers and sites to different subnets. Spamhaus.org reportedly finds roughly 1.5 million computers infected with either Srizbi or Rustock sending spam in an average week.

Following the shut down, details began to emerge of the ISP's other clients, which included distributors and vendors of child pornography and other criminal enterprises, including the Russian Business Network.[14]

McColo gained reconnection briefly on November 19, 2008 via a backup connection agreement common in the industry, but was rapidly shut down again.[15]

The McColo takedown especially affected Srizbi, one of the world's largest botnets, controlling 500,000 infected nodes as of November 2008.[16]

Symantec's monthly state of spam report for April 2009 stated that spamming was now back to what it was before McColo was taken offline. Due to botnets being created and old ones being brought back online, it estimated that about 85 percent of all email traffic is spam.[17] [18] By November 2009 the IP space used by McColo was still largely unused, as much of it was unattractive to buyers due to being widely blacklisted.

See also

External links

Notes and References

  1. Book: Krebs , Brian . Spam Nation. Sourcebooks. 2014. 43. 2017-06-19. 9781402295621.
  2. News: Host of Internet Spam Groups Is Cut Off. Krebs. Brian. November 12, 2008. Washington Post . January 27, 2009.
  3. News: Security Fix - A year later: A look back at McColo . 2019-08-20.
  4. Carr, Jeffrey. Inside Cyber Warfare: Mapping the Cyber Underworld. O'Reilly Media, Inc., 2009,, pg. 127.
  5. https://www.theregister.co.uk/2008/11/12/mccolo_goes_silent/ McColo goes silent
  6. http://voices.washingtonpost.com/securityfix/2008/11/spam_volumes_drop_by_23_after.html Spam Volumes Drop by Two-Thirds After Firm Goes Offline
  7. http://bits.blogs.nytimes.com/2009/03/31/spam-back-to-94-of-all-e-mail/ Spam Back to 94% of All E-Mail
  8. http://voices.washingtonpost.com/securityfix/2008/11/the_badness_that_was_mccolo.html A Closer Look at McColo
  9. https://arstechnica.com/news.ars/post/20081112-spam-sees-big-nosedive-as-rogue-isp-mccolo-knocked-offline.html Spam sees big nosedive as rogue ISP McColo knocked offline
  10. Web site: Stewart. Joe. The Return of Warezov. SecureWorks. 25 February 2016.
  11. http://blog.fireeye.com/research/2008/10/mccolo-hosting-srizbi-cc.html#more FireEye
  12. http://www.threatexpert.com/report.aspx?uid=745bcad4-9f9d-4a32-ba95-7cb7d5fc14f8 ThreatExpert
  13. https://www.secureworks.com/research/warezov
  14. https://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html Washington Post
  15. https://arstechnica.com/news.ars/post/20081119-mccolo-reconnect-highlights-network-security-gap.html McColo reconnect highlights network security gap
  16. https://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/ Srizbi returns from the dead
  17. http://www.techradar.com/news/internet/spammers-recovering-from-mccolo-shutdown-591118 Spammers recovering from McColo shutdown
  18. https://web.archive.org/web/20090424100315/http://eval.symantec.com/mktginfo/enterprise/other_resources/b-state_of_spam_report_04-2009.en-us.pdf State Of Spam for April 2009