On Fri, Dec 5, 2008 at 11:34 AM, <nanog-request@nanog.org> wrote:
Message: 1 Date: Fri, 05 Dec 2008 20:14:08 +0100 From: Revolver Onslaught <revolver.onslaught@gmail.com> Subject: McColo and SPAM To: nanog <nanog@merit.edu> Message-ID: <49397D80.701@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello,
Since McColo closed, we noticed the spam was far more intensive than before.
However, it seems the amount of spam is similar than than before.
Do you feel the same ?
Many thanks, RO
It would seem that the sources of SPAM have merely moved since McColo was shut down and it's going to take some time for everyone's blackhole routes and RBL's to catch up. I have personally noticed a higher delivered spam content in my own email accounts. Peter -- ピーター
McColo hosted the command and control servers for spam botnets and didn't originate spam directly, at least primarily, according to my understanding. - S -----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 3:49 PM To: nanog@nanog.org Subject: Re: McColo and SPAM On Fri, Dec 5, 2008 at 11:34 AM, <nanog-request@nanog.org> wrote:
Message: 1 Date: Fri, 05 Dec 2008 20:14:08 +0100 From: Revolver Onslaught <revolver.onslaught@gmail.com> Subject: McColo and SPAM To: nanog <nanog@merit.edu> Message-ID: <49397D80.701@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello,
Since McColo closed, we noticed the spam was far more intensive than before.
However, it seems the amount of spam is similar than than before.
Do you feel the same ?
Many thanks, RO
It would seem that the sources of SPAM have merely moved since McColo was shut down and it's going to take some time for everyone's blackhole routes and RBL's to catch up. I have personally noticed a higher delivered spam content in my own email accounts. Peter -- ピーター
Certainly, I have seen a perceptual, yet completely subjective increase. I know major operators who have claimed to see a gigantic decrease. Peter On Fri, Dec 5, 2008 at 12:51 PM, Skywing <Skywing@valhallalegends.com> wrote:
McColo hosted the command and control servers for spam botnets and didn't originate spam directly, at least primarily, according to my understanding.
- S
-----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 3:49 PM To: nanog@nanog.org Subject: Re: McColo and SPAM
On Fri, Dec 5, 2008 at 11:34 AM, <nanog-request@nanog.org> wrote:
Message: 1 Date: Fri, 05 Dec 2008 20:14:08 +0100 From: Revolver Onslaught <revolver.onslaught@gmail.com> Subject: McColo and SPAM To: nanog <nanog@merit.edu> Message-ID: <49397D80.701@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello,
Since McColo closed, we noticed the spam was far more intensive than before.
However, it seems the amount of spam is similar than than before.
Do you feel the same ?
Many thanks, RO
It would seem that the sources of SPAM have merely moved since McColo was shut down and it's going to take some time for everyone's blackhole routes and RBL's to catch up. I have personally noticed a higher delivered spam content in my own email accounts.
Peter
-- ピーター
-- ピーター
We experienced exactly no decrease with the McColo shut down a few weeks back, even though we receive 2M+ messages per day. It's interesting that each service provider's spam populations are as different as they are. Some experienced gigantic decreases, others didn't. And it's not like we have just one domain. I know MessageLabs examines spam rates per industry type. Frank -----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 2:57 PM To: Skywing Cc: nanog@nanog.org Subject: Re: McColo and SPAM Certainly, I have seen a perceptual, yet completely subjective increase. I know major operators who have claimed to see a gigantic decrease. Peter On Fri, Dec 5, 2008 at 12:51 PM, Skywing <Skywing@valhallalegends.com> wrote:
McColo hosted the command and control servers for spam botnets and didn't originate spam directly, at least primarily, according to my understanding.
- S
-----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 3:49 PM To: nanog@nanog.org Subject: Re: McColo and SPAM
On Fri, Dec 5, 2008 at 11:34 AM, <nanog-request@nanog.org> wrote:
Message: 1 Date: Fri, 05 Dec 2008 20:14:08 +0100 From: Revolver Onslaught <revolver.onslaught@gmail.com> Subject: McColo and SPAM To: nanog <nanog@merit.edu> Message-ID: <49397D80.701@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello,
Since McColo closed, we noticed the spam was far more intensive than before.
However, it seems the amount of spam is similar than than before.
Do you feel the same ?
Many thanks, RO
It would seem that the sources of SPAM have merely moved since McColo was shut down and it's going to take some time for everyone's blackhole routes and RBL's to catch up. I have personally noticed a higher delivered spam content in my own email accounts.
Peter
-- ピーター
-- ピーター
We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it mirrors spamhaus amoungst other things. The numbers are in 1000s of 1000s per 5 minute window. (so 2500k = 2.5m) You can see a dramatic decrease that corresponds with them going offline and then the spam level gradually coming back, but it's certainly not back full tilt yet. Paul Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 ________________________________________ From: Frank Bulk [frnkblk@iname.com] Sent: 06 December 2008 03:33 To: 'Peter Serwe'; Skywing Cc: nanog@nanog.org Subject: RE: McColo and SPAM We experienced exactly no decrease with the McColo shut down a few weeks back, even though we receive 2M+ messages per day. It's interesting that each service provider's spam populations are as different as they are. Some experienced gigantic decreases, others didn't. And it's not like we have just one domain. I know MessageLabs examines spam rates per industry type. Frank -----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 2:57 PM To: Skywing Cc: nanog@nanog.org Subject: Re: McColo and SPAM Certainly, I have seen a perceptual, yet completely subjective increase. I know major operators who have claimed to see a gigantic decrease. Peter On Fri, Dec 5, 2008 at 12:51 PM, Skywing <Skywing@valhallalegends.com> wrote:
McColo hosted the command and control servers for spam botnets and didn't originate spam directly, at least primarily, according to my understanding.
- S
-----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 3:49 PM To: nanog@nanog.org Subject: Re: McColo and SPAM
On Fri, Dec 5, 2008 at 11:34 AM, <nanog-request@nanog.org> wrote:
Message: 1 Date: Fri, 05 Dec 2008 20:14:08 +0100 From: Revolver Onslaught <revolver.onslaught@gmail.com> Subject: McColo and SPAM To: nanog <nanog@merit.edu> Message-ID: <49397D80.701@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello,
Since McColo closed, we noticed the spam was far more intensive than before.
However, it seems the amount of spam is similar than than before.
Do you feel the same ?
Many thanks, RO
It would seem that the sources of SPAM have merely moved since McColo was shut down and it's going to take some time for everyone's blackhole routes and RBL's to catch up. I have personally noticed a higher delivered spam content in my own email accounts.
Peter
-- ピーター
-- ピーター
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Dec 5, 2008 at 11:10 PM, Paul Kelly :: Blacknight <paul@blacknight.com> wrote:
We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it mirrors spamhaus amoungst other things.
McColo was just an exercise in "managing" cyber crime operations in the U.S. Please do not be distracted by the whole "spam" issue, it's just a byproduct of much larger criminal operation. What this community should really be discussing is how to deal with these issue in a collaborative manner, because that is exactly what is need to combat it. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFJOit+q1pz9mNUZTMRApsmAKDiMWX7DFUCNxcGku6kOPex5NlW9wCdEMAb TPtpX7pW20Tl6TgPeudjgP0= =n4cP -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Paul, I read Gregg Keizer's piece in CW where FireEye's Fengmin Gong is quoted as "We have registered a couple hundred domains," Gong said, "but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names." Now interposing on the Srizbi system's attempt to communicate shouldn't be signing up to do an unlimited number of $6 buys from VGRS plus the overhead to ICANN and a registrar, after all, it is likely that Srizbi isn't using real money to do its domain buys ... so I wrote to the dead mailbox at Gong's company to ask for numbers, and if anyone in the registrar/registry business units knew why Gong's company was doing a couple hundred buys, and what T&C they were offered to keep Srizbi disconnected ... No response. How many domains did FE register, through which registrar(s), and at any point did FE represent to the registrar(s) or to the registry (or registries) the purpose of the buys was to keep Srizbi disconnected? If the registrar(s) or registry(ies) were informed of the purpose of the buys, what response, if any, did they make to FE's representation? I want to know what FE's burn rate was in prophylactic domain buys, and who told FE to let Srizbi resynch its C&C nodes with its bots. I will discuss what I learn to the ICANN GNSO Council. If Keizer's even remotely correct on this point, then this is a "should never happen again" scenario where the GNSO can mandate registry, and registrar responses. So yeah, collaboration would be good, but FE ain't taking my mail, so if this is ever going to go to registrar/registry policy land, it will have to find its own way there. We just lost the unlimited 5 day "Add Grace Period" due to domainers and (some) registrars using it for tasting, and carving out a "prophylactic grace period" for things like this is possible, so that it becomes a no-charge to the interposing buy engine. my two beads worth, Eric Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, Dec 5, 2008 at 11:10 PM, Paul Kelly :: Blacknight <paul@blacknight.com> wrote:
We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it mirrors spamhaus amoungst other things.
McColo was just an exercise in "managing" cyber crime operations in the U.S.
Please do not be distracted by the whole "spam" issue, it's just a byproduct of much larger criminal operation.
What this community should really be discussing is how to deal with these issue in a collaborative manner, because that is exactly what is need to combat it.
$.02,
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFJOit+q1pz9mNUZTMRApsmAKDiMWX7DFUCNxcGku6kOPex5NlW9wCdEMAb TPtpX7pW20Tl6TgPeudjgP0= =n4cP -----END PGP SIGNATURE-----
What's very interesting to me is the very rhythmic peaks-and-valleys you show... Seems to go up every day, down during the night; gradually rising mon-wed, slight drops thurs-fri, and then big drop sat, lower drop sun, and then jumps back on monday. On 6 Dec 2008, at 02:10, Paul Kelly :: Blacknight wrote:
We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it mirrors spamhaus amoungst other things.
The numbers are in 1000s of 1000s per 5 minute window. (so 2500k = 2.5m)
You can see a dramatic decrease that corresponds with them going offline and then the spam level gradually coming back, but it's certainly not back full tilt yet.
Paul
Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091
e-mail: paul@blacknight.ie web: http://www.blacknight.ie
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland
Company No.: 370845 ________________________________________ From: Frank Bulk [frnkblk@iname.com] Sent: 06 December 2008 03:33 To: 'Peter Serwe'; Skywing Cc: nanog@nanog.org Subject: RE: McColo and SPAM
We experienced exactly no decrease with the McColo shut down a few weeks back, even though we receive 2M+ messages per day. It's interesting that each service provider's spam populations are as different as they are. Some experienced gigantic decreases, others didn't. And it's not like we have just one domain.
I know MessageLabs examines spam rates per industry type.
Frank
-----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 2:57 PM To: Skywing Cc: nanog@nanog.org Subject: Re: McColo and SPAM
Certainly, I have seen a perceptual, yet completely subjective increase.
I know major operators who have claimed to see a gigantic decrease.
Peter
On Fri, Dec 5, 2008 at 12:51 PM, Skywing <Skywing@valhallalegends.com> wrote:
McColo hosted the command and control servers for spam botnets and didn't originate spam directly, at least primarily, according to my understanding.
- S
-----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 3:49 PM To: nanog@nanog.org Subject: Re: McColo and SPAM
On Fri, Dec 5, 2008 at 11:34 AM, <nanog-request@nanog.org> wrote:
Message: 1 Date: Fri, 05 Dec 2008 20:14:08 +0100 From: Revolver Onslaught <revolver.onslaught@gmail.com> Subject: McColo and SPAM To: nanog <nanog@merit.edu> Message-ID: <49397D80.701@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello,
Since McColo closed, we noticed the spam was far more intensive than before.
However, it seems the amount of spam is similar than than before.
Do you feel the same ?
Many thanks, RO
It would seem that the sources of SPAM have merely moved since McColo was shut down and it's going to take some time for everyone's blackhole routes and RBL's to catch up. I have personally noticed a higher delivered spam content in my own email accounts.
Peter
-- ピーター
-- ピーター
<aggregate-month.png>
The reason for that is our legit e-mail traffic pattern I guess. We probably see the same level of spam 24/7 but from 8am to 8pm GMT we'd get a lot of legit traffic from the few 100k pop3/imap/smtp users we have and as such you'd see the peaks and troughs caused by their usage. Primarily they'd be Irish, but we'd have 10% or so in the UK/Rest of Europe aswell, so they'd fit in with the 8-8 peaks. Paul Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845
-----Original Message----- From: Neil [mailto:kngspook@gmail.com] Sent: Saturday, December 06, 2008 1:33 PM To: Paul Kelly :: Blacknight Cc: Frank Bulk; 'Peter Serwe'; Skywing; nanog@nanog.org Subject: Re: McColo and SPAM
What's very interesting to me is the very rhythmic peaks-and-valleys you show... Seems to go up every day, down during the night; gradually rising mon-wed, slight drops thurs-fri, and then big drop sat, lower drop sun, and then jumps back on monday.
On 6 Dec 2008, at 02:10, Paul Kelly :: Blacknight wrote:
We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it mirrors spamhaus amoungst other things.
The numbers are in 1000s of 1000s per 5 minute window. (so 2500k = 2.5m)
You can see a dramatic decrease that corresponds with them going offline and then the spam level gradually coming back, but it's certainly not back full tilt yet.
Paul
Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091
e-mail: paul@blacknight.ie web: http://www.blacknight.ie
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland
Company No.: 370845 ________________________________________ From: Frank Bulk [frnkblk@iname.com] Sent: 06 December 2008 03:33 To: 'Peter Serwe'; Skywing Cc: nanog@nanog.org Subject: RE: McColo and SPAM
We experienced exactly no decrease with the McColo shut down a few weeks back, even though we receive 2M+ messages per day. It's interesting that each service provider's spam populations are as different as they are. Some experienced gigantic decreases, others didn't. And it's not like we have just one domain.
I know MessageLabs examines spam rates per industry type.
Frank
-----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 2:57 PM To: Skywing Cc: nanog@nanog.org Subject: Re: McColo and SPAM
Certainly, I have seen a perceptual, yet completely subjective increase.
I know major operators who have claimed to see a gigantic decrease.
Peter
On Fri, Dec 5, 2008 at 12:51 PM, Skywing <Skywing@valhallalegends.com> wrote:
McColo hosted the command and control servers for spam botnets and didn't originate spam directly, at least primarily, according to my understanding.
- S
-----Original Message----- From: Peter Serwe [mailto:peter.serwe@gmail.com] Sent: Friday, December 05, 2008 3:49 PM To: nanog@nanog.org Subject: Re: McColo and SPAM
On Fri, Dec 5, 2008 at 11:34 AM, <nanog-request@nanog.org> wrote:
Message: 1 Date: Fri, 05 Dec 2008 20:14:08 +0100 From: Revolver Onslaught <revolver.onslaught@gmail.com> Subject: McColo and SPAM To: nanog <nanog@merit.edu> Message-ID: <49397D80.701@gmail.com> Content-Type: text/plain; charset=ISO-8859-1
Hello,
Since McColo closed, we noticed the spam was far more intensive than before.
However, it seems the amount of spam is similar than than before.
Do you feel the same ?
Many thanks, RO
It would seem that the sources of SPAM have merely moved since McColo was shut down and it's going to take some time for everyone's blackhole routes and RBL's to catch up. I have personally noticed a higher delivered spam content in my own email accounts.
Peter
-- ピーター
-- ピーター
<aggregate-month.png>
participants (8)
-
Brian Keefer
-
Eric Brunner-Williams
-
Frank Bulk
-
Neil
-
Paul Ferguson
-
Paul Kelly :: Blacknight
-
Peter Serwe
-
Skywing