The Fallout from the 3FN Takedown
The Federal Trade Commission's unprecedented recent takedown against troubled Web hosting provider 3FN.net has had an immediate -- if little noticed -- impact on the level of spam sent worldwide, and the number of infected PCs doing the spamming, according to multiple sources.
Experts say the drop in spam probably is not visible to most Internet users or even operators of large networks, as the decrease is within the upper ranges of daily fluctuations in spam volumes. Still, the preliminary results indicate that a large number of spam-spewing zombie PCs were being coordinated out of severs hosted at 3FN.
According to botnet expert Joe Stewart, director of malware research at Atlanta based SecureWorks, 3FN was home to a large number of command-and-control servers for the Cutwail spam botnet, one of the world's largest. As of last week, Stewart said he was tracking upwards of 400,000 spam zombies infected with Cutwail and sending spam. When I caught up with Stewart again on Monday, he said the number of Cutwail-infected PCs actively spamming was fluctuating between 120,000 and 150,000.
"Since so many of the Cutwail controllers [that were at 3FN] were taken down, we can assume that either the bots that were talking to the controllers there no longer have a controller and they're orphaned, or two, they have fallback control servers that are just getting overloaded at the moment," Stewart said.
As for whether the 3FN takedown had an impact on overall spam levels, it depends on whom you ask. Symantec's Dermot Harnett writes that a repeat of the spam volume decline observed following the closure of McColo in November 2008 is not expected in this case. Dmitri Alperovitch, vice president of threat research at McAfee, said the company is tracking record levels of spam at the moment.
Anti-spam experts at Spamhaus.org say the 3FN shutdown "caused an immediate precipitous collapse" in Cutwail spam. "However, as it was only one spambot of many, its collapse is not particularly apparent in total spamtrap flow."
Below you can see two graphics showing the decline in spam sent by Cutwail. Following that is a third graph that depicts Spamhaus's view of the total spam volume for the last week, which shows how the kneecapping of Cutwail is hardly noticeable amid the overall spam volume fluctuations.
Jose Nazario, a senior security researcher at Arbor Networks, published data today suggesting that spam actually went up dramatically on June 4, the day the FTC announced its action against 3FN. The following graphic shows the top 50 countries sending Arbor's spam traps messages, sorted by unique sending Internet address and subject.
Meanwhile, a large number of Webmasters who had sites hosted at 3FN before its shutdown have been protesting the company's closure. This webmaster forum, Google translated from Russian into English, offers 40-plus pages of this discussion for anyone who cares to read it.
Also, in an order filed by U.S. District Judge Ronald Whyte, for the Northern District of California, the court notes that since issuing the temporary restraining order that shut down 3FN's hosting servers in San Jose, Calif., last week, "the court has received communications from third parties who were using the defendant's hosting services for the third parties' Web sites. These communications raise a significant concern that there may be a number of innocent third parties who are suffering harm as a result of the temporary restraining order."
Since our story ran, I've heard from a couple of readers who had sites hosted at 3FN. One of those is Suren Ter-Saakav, a Russian native who now lives in a suburb of Philadelphia. Ter-Saakav said his site www.denaq.com -- which sells batteries -- was among those that was knocked offline when the FTC shuttered 3FN.
"That site has been shut down and I have lost my client history and the history of orders," Ter-Saakav said, adding that he's concerned the FTC's action paints all Russian Webmasters in the same light. "Nobody mentioned that there were good Russian Webmasters there too."
The court has ordered (PDF) the FTC to file a proposal by close of businesses today that lays out a process for "expeditiously addressing concerns raised by third parties and minimizing any undue harm to innocent third parties." I will update this post with that proposal once it is filed.
Update, June 10, 11:34 a.m. ET The FTC's proposed order is here. It calls on the court to appoint someone who can evaluate the claims of third parties whose data is stored on 3FN's servers, and "coordinate the release of copies of such data to third parties whose data does not appear to relate to the conduct prohibited by the court order that forced 3FN's Internet providers to pull the plug on the company.
June 9, 2009; 3:08 PM ET
Categories: Cyber Justice , Fraud , From the Bunker , U.S. Government | Tags: 3fn, ftc takedown cutwail, pricewert
Save & Share: Previous: Unshrinking Shortened Web Links
Next: Microsoft Issues Record Number of Security Updates
Posted by: Stoatwarbler | June 10, 2009 6:15 PM | Report abuse
Posted by: tersuren | June 11, 2009 1:18 AM | Report abuse
Posted by: Serghei | June 11, 2009 12:56 PM | Report abuse
Posted by: michandr | June 13, 2009 4:30 AM | Report abuse
Posted by: serge2 | June 13, 2009 1:02 PM | Report abuse
The comments to this entry are closed.