Network News

X My Profile
View More Activity

Spam Volumes Drop by Two-Thirds After Firm Goes Offline

The volume of junk e-mail sent worldwide plummeted on Tuesday after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline. (Note: A link to the full story on McColo's demise is available here.)


Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day.

In an alert sent out Wednesday morning, e-mail security firm IronPort said:

In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening.'s graphic shows a similar decline, from about 40 spam e-mails per second to around ten per second -- if I'm reading that graphic correctly.


A number of other spam-fighters today reported a similar drop in junk e-mail volumes. I heard from a reader named Martin who works at a small hosting facility in Germany. He wrote in after noticing a lack of spam banging on his company's e-mail servers. He sent in this graphic and asked that we not use his full name or identify his employer.

Security Fix reader Ted wrote in to say his small Internet service provider also charted a massive collapse in spam volumes yesterday and into today. Ted, who also requested we use only his first name, writes:


Dear Mr. Krebs,

Thank you for your outstanding contribution to bringing down McColo Corp.

I can clearly see the impact you've had, by looking at the spam graph of the small ISP which hosts the web site [omitted] for me:

The daily 15 minute graph reports the rate of spam over a 29 hour period. Time is UTC. As I write, it is about 12:00 UTC, and detected spam is arriving at less than half the rate of the same time yesterday.

The world saw a similar -- if short-lived -- drop in spam volumes in September, following the demise of Intercage, a.k.a. "Atrivo," another Northern California based ISP that security experts identified as a major source of badness online. In that case, it only took the spammers a few days to find a new home. It seems likely that the same will happen in this case as well, and that this minor victory will be short but sweet.

Nilesh Bhandari, product manager with IronPort, said the company sees an average of about 190 billion spam e-mails each day. Then, at around 4:30 p.m. ET yesterday, IronPort saw a huge decline in spam levels. For the 24 hour period ending Tuesday, the company tracked about 112 billion spam messages.

Bhandari said he expects the spam volume to recover to normal levels in about a week, as the spam operations that were previously hosted at McColo move to a new home.

"We're seeing a slow recovery," Bhandari. "We fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season."

By Brian Krebs  |  November 12, 2008; 1:07 PM ET
Categories:  Cyber Justice , Economy Watch , Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Major Source of Online Scams and Spams Knocked Offline
Next: A Closer Look at McColo


I was wondering why I was getting some relief (though I can't graph it for you at the moment). I'll enjoy the relative peace while it lasts - thanks for the efforts, folks...

Posted by: joearchaeologist | November 12, 2008 2:12 PM | Report abuse

Thanks for the info, graphs, and links, Brian! Heck of an answer!

Posted by: featheredge9 | November 12, 2008 4:53 PM | Report abuse


That is fantastic news but can you help me with this huge problem? Splogging. I have 2-4 sploggers ripping my content off every day. Is that diminishing my page rank? Does Google look at my content as the originator or duplicate?

I understand the process of trying to shut them down but it is both very long and archaic. In addition I have been informed that my sploggers are generating ad dollars to Google and Google therefore has little incentive to remove or "deindex" them.

Any ideas are much appreciated.

Dean Guadagni

Posted by: dean_guadagni | November 12, 2008 6:39 PM | Report abuse

Thanks Brian for a job well done!

Posted by: mcs2 | November 12, 2008 9:00 PM | Report abuse

Hi Brian,

Interesting you do not mention how McColo was being used, or more specifically by what malware ... =)

Posted by: Fyyre | November 12, 2008 9:01 PM | Report abuse

I just ran the reports on our barracuda. Our volume Nov 4-5 for spam was ~3200 filtered messages, and for the 24 hours that just ended, it dropped to around 1600.

I'm glad that getting covered by the Post will at least change the behavior of US colo facilities.

Posted by: roustabout | November 12, 2008 9:18 PM | Report abuse

Pardon, I meant "bandwidth providers," not (necessarily) colo facilities. Though, if they want to stay afloat, the colos will have to change their behavior also.

But getting the bandwidth resellers, especially Hurricane Electric, to pay attention: wow! HE has been a problem child for a very long time.

Posted by: roustabout | November 12, 2008 9:20 PM | Report abuse

Fyyre -- Have you seen the story? There are several links there to specific malware examples researchers found phoning home there.

e.g., here, 2nd page of the story: "Multiple security researchers have recently published data naming McColo as the host for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online. These include SecureWorks, FireEye and ThreatExpert."

Click the links in that paragraph and you'll see some of the bigger examples: Mega-D, Srizbi, Pusdo/Cutwail. Rustock, et. al.

I had meant to put up more supporting blog posts today, but got slammed with other stuff. Stay tuned.

Posted by: Brian Krebs | November 12, 2008 10:27 PM | Report abuse

What's up with the new Firefox update, BK?

Posted by: Heron | November 13, 2008 9:43 AM | Report abuse

Hi Brian,

I think Paul Ferguson's opinion is a valid one. Much of this has been known for quite some time:


Posted by: Fyyre | November 13, 2008 7:32 PM | Report abuse

In a word, you get


This is brilliant work. You may rate with Woodward and Bernstein!

Posted by: privacy2 | November 15, 2008 8:37 AM | Report abuse

Good work on this story! However, I'm not sure that using SpamCop to support IronPort is the best reporting. IronPort owns SpamCop. They share the same spam database.

Posted by: Ag2000CO | November 18, 2008 10:41 AM | Report abuse

And shortly thereafter, I received three phoney announcements that told me of my great good fortune in winning thousands of dollrs or similar inducement to give my vitals on three successive days. These were done by amatures, and probably from or controlled by a single source.My guess is that each letter constitutes attempted fraud; misrepresentation; conspiracy to steal my identity. These are serious crimes; and should be pursued promptly ansd diligently by the FBI.

Posted by: tao99 | November 19, 2008 12:20 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company