Spam Volumes Drop by Two-Thirds After Firm Goes Offline

The volume of junk e-mail sent worldwide plummeted on Tuesday after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline. (Note: A link to the full story on McColo's demise is available here.)

Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day.

In an alert sent out Wednesday morning, e-mail security firm IronPort said:

In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening.

Spamcop.net's graphic shows a similar decline, from about 40 spam e-mails per second to around ten per second -- if I'm reading that graphic correctly.

A number of other spam-fighters today reported a similar drop in junk e-mail volumes. I heard from a reader named Martin who works at a small hosting facility in Germany. He wrote in after noticing a lack of spam banging on his company's e-mail servers. He sent in this graphic and asked that we not use his full name or identify his employer.

Security Fix reader Ted wrote in to say his small Internet service provider also charted a massive collapse in spam volumes yesterday and into today. Ted, who also requested we use only his first name, writes:

Dear Mr. Krebs, Thank you for your outstanding contribution to bringing down McColo Corp. I can clearly see the impact you've had, by looking at the spam graph of the small ISP which hosts the web site [omitted] for me: The daily 15 minute graph reports the rate of spam over a 29 hour period. Time is UTC. As I write, it is about 12:00 UTC, and detected spam is arriving at less than half the rate of the same time yesterday.

The world saw a similar -- if short-lived -- drop in spam volumes in September, following the demise of Intercage, a.k.a. "Atrivo," another Northern California based ISP that security experts identified as a major source of badness online. In that case, it only took the spammers a few days to find a new home. It seems likely that the same will happen in this case as well, and that this minor victory will be short but sweet.

Nilesh Bhandari, product manager with IronPort, said the company sees an average of about 190 billion spam e-mails each day. Then, at around 4:30 p.m. ET yesterday, IronPort saw a huge decline in spam levels. For the 24 hour period ending Tuesday, the company tracked about 112 billion spam messages.

Bhandari said he expects the spam volume to recover to normal levels in about a week, as the spam operations that were previously hosted at McColo move to a new home.

"We're seeing a slow recovery," Bhandari. "We fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season."