Network News

X My Profile
View More Activity

Spam Volumes Plummet After Atrivo Shutdown

Security Fix has spilled quite a bit of digital ink chronicling the demise of Atrivo (a.k.a. "Intercage"), a now-defunct Northern Calif. based Internet service provider that served as home base for a large number of cyber criminal operations. Happily, data released this week about a short-lived but precipitous decline in the level of badness online after Atrivo was shut down illustrates just how bad Atrivo was.


Internet security firm MessageLabs said it observed a significant drop in the level of spam and botnet activity (PDF) after Atrivo's upstream Internet providers pulled the plug on the company last month. The graphic to the right shows a collapse in the level of spam emanating from computers infected with the some of the nastiest spam-enabling malware, including the Storm worm, Cutwail, Srizbi and MegaD.

MessageLabs said the decline was due to the fact that a large number of command and control networks used to control these distributed malware spam systems were located on servers on Atrivo's network.

While the criminals operating those spam networks have since migrated their operations to other providers, it is gratifying to see how a little bit of awareness-raising on the sources of cyber crime can at least temporarily disrupt these operations and potentially increase their costs.

By Brian Krebs  |  October 9, 2008; 1:33 PM ET
Categories:  Cyber Justice , Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Spear Phishing Scam Targets LinkedIn Users
Next: Apple, Opera Ship Security Updates


Brian, I'm hoping you can help me out.

I'm running XP Home, SP3, Norton 360, AdAware and Spybot. I have an ADSL connection that works fine in the early morning.

I'm in Italy and 6 hours ahead of your time. So at 8:30 pm here there is probably heavy web usage by Italians after a nice dinner meal.

At that time I try to get the news/blogs on the WaPo but lately it's really slow and my Firefox shows I'm being directed to and then before I get to the page I want or to your blog. Has my PC been hi-jacked or is it only due to heavy usage in my area?

I'd appreciate your thoughts. Thanks.

Posted by: Verona, Italy | October 9, 2008 2:48 PM | Report abuse

Congrats & Nice work Security Fix!

Posted by: Mel | October 9, 2008 2:48 PM | Report abuse

Some additional dissection of Storm here and it also wonders if Storm is dead or just regrouping, likely tthe latter:

Posted by: TeMerc | October 9, 2008 2:57 PM | Report abuse

I was wondering why the volume of spam I see fell sharply during that timeframe... now I know. Unfortunately, the crooks have indeed gone elsewhere and are back to filling my inbox (or at least my spam filters) with their typical garbage.

Posted by: John | October 9, 2008 3:19 PM | Report abuse

Verona, Italy

Try the Adblock Plus plugin for Firefox? I believe your hung up on the ads....

Posted by: JkR | October 9, 2008 4:07 PM | Report abuse

Thanks for tracking this! I did have a question though -- from that graphic there, it looks like virus/spam/botnet activity dropped during the selected period, but actually rose afterward to higher levels. Can you explain what happened there?

Posted by: Chris | October 9, 2008 4:31 PM | Report abuse


The spike after the shutdown was spammers trying to make up for the loss. The requests were queued and when the spammers changed netwoks, the queues unloaded.

Posted by: Mike M | October 9, 2008 4:39 PM | Report abuse

Actually, there is an easy way to detect phishing website by checking its IP address. Phishing website cannot fake its IP address as, for example, Bank of America’s IP address. This is because of Internet backbone routing. If this phishing website fakes its IP address by using BankofAmerica IP. Then, IP packets will be routed to BankofAmerica instead of Phishing website. By checking website IP address against a white list of trusted banks IP addresses, a phishing website can be easily identified.

Posted by: Daniel | October 10, 2008 2:05 AM | Report abuse

Internet Email has a header that contains the IP address of the sender (RFC 2821). This IP address is logged by the receive SMTP server so the sender cannot fake or modify this information. By checking this IP address, we can identify the true sender domain. For example, if an Email says it is from BankofAmerica, but the IP address belongs to MSN. Then we know this Email is a Spam.

Posted by: daniel | October 10, 2008 2:26 AM | Report abuse

The WAPO web site is one of the slowest loading that I encounter in my daily news surfing... Seems to be built into the WAPO site, not virii..

Dr. O

Posted by: Dr. O | October 10, 2008 7:55 AM | Report abuse

To Verona, Italy.

I'm in Alexandria, Va. just minutes away from's headquarters in Arlington and I have the exact same problems that you do. My Firefox shows some of the same redirections that you're getting.

And JkR,
I AM running Adblock Plus with the latest version of Firefox and WaPo is still the slowest-loading Website that I visit all day.

I concur with Dr. O - the slowest Website - each page load is time enough for scanning another Website while waiting.

I have complained to several staff members of and just asked "WHY?", to no avail. I find myself at the site more frequently these days.

Posted by: mhamner1 | October 10, 2008 10:34 AM | Report abuse

One of the big slow-downs with WAPO is the extraordinary number of third-party cookies that the site spews out. I block third-party cookies, and I sometimes find that I cant load a page because I won't accept these cookies, so the entire load process stops. I just move on somewhere else. I don't mind session cookies and so on, but I see no reason to accept the rest.

Posted by: HUDAHAR | October 10, 2008 10:54 AM | Report abuse

Thanks for all the suggestions to help me speed up the WaPo site. I've installed Adblock Plus add-on and now I can see that on this page alone there are more than 70 "blockable" items. That's somehow not in line with what a regular WaPo reader would expect from the paper.

Posted by: Verona, Italy | October 10, 2008 11:38 AM | Report abuse

My computer hard drive was deleted by a tech in India who could not fix the problem. I lost my free anonymous software (Jap or Jap-Jar) Can you give me the website to retrieve it? I know it was from but not the complete address. If I want someone to have my address, I'll give it to them.

Posted by: redhotpapasan | October 11, 2008 1:28 AM | Report abuse

I use XP, Firefox 3.0.3 and Noscript. WaPo slowly loads, then 1-2 seconds later, reloads. Highly irritating.

Posted by: D.R. | October 11, 2008 8:09 PM | Report abuse

There was a large drop in most "badness" on the 17-19th as well, according to that diagram.

A bit hyped, this story?

Posted by: Puzzled | October 13, 2008 4:09 AM | Report abuse

But without units on the y axis, the chart really isn't of much value.

Start here:

Posted by: John | October 13, 2008 8:01 AM | Report abuse

Now that the subject has been brought up (WaPo site slowness), I agree with above posts. Why go to a site that is so slow? Of course, for this blog, note that the ads load first; useful text, last!

@ John, take a read of "Lies, Damn Lies, and Statistics" by Joel Best, and the sequel. Lying using statistics is an art form, for sure.

Posted by: Pete from Arlington | October 14, 2008 10:06 AM | Report abuse

Ooops, forgot to mention those damned pop-behinds the WaPo site can't seem to do without. A plague on them!

Posted by: Pete from Arlington | October 14, 2008 10:09 AM | Report abuse

I glad the Spam dropped, but from the graph it appears that drops of that magnitude occur regularly and that this is indistinguishable from a random fluctuation. The post drop increase is probably more significant statistically.

Posted by: Bill | October 14, 2008 10:25 AM | Report abuse


I noticed this for the first time today in Firefox. Sites, including WaPo, would hang when loading for the first time, and this was the URL in the status bar.

It also appeared to be blocking youtube and - they would just time out.

I manually added it as a filter to Ad Block Plus, and viola, no more page load issues. Bloomberg also loads a lot faster now, but that could be because it is now after trading hours.

It is owned by Mirror Image Internet ( which looks to be legit. Perhaps they recently messed something up on their end and are not aware of it yet.

Posted by: Dingo | October 14, 2008 6:10 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company