Last week the US Federal Trace Commission shut down a rogue ISP because it hosted a range of botnet command and control servers, malware, and child pornography. The ISP, known as 3FN (also as APS Telecom) was thought to be responsible for a number of spam botnet control servers, notably Pushdo/Cutwail, as discussed here. Indeed, in our previous analyses of Pushdo, we have seen bots connecting to the 3FN subnet.
The FTC documentation makes for interesting reading, especially transcripts of ICQ conversations between a 3FN employee and a customer:
3FN: Bro, I am on my way home Shall we put off till tomorrow?
Customer: lets do tomorrow, we have not configured it today yet
3FN: I see, Do you have big botnet?
Customer: can reach 20k online, sometimes even more
3FN: what about geography?
Customer: will tell you tor sure. 200k bots reached today, 15% of them are USA-Europe-Australia
3FN: I got it, that's somewhere normal
Customer: yep, bots are waiting for you)
3FN: it's a lot of f**king work
So did this shut down have any impact on spam? Looking at our Spam Statistics from last week, we do see a dip down of about 15% in our Spam Volume Index (SVI):
And spam originating from the Pushdo botnet indeed seems to be affected. The proportion of spam from Pushdo has dipped, along with Mega-D. Rustock seems completely unaffected:
Today, spam from Pushdo is still coming in to our spam traps, but at a much reduced rate.
So it’s another victory for the authorities. In terms of its impact on spam, the event is not quite in the same league as the McColo shutdown last November when spam output was halved overnight, but it is still very welcome nonetheless. These people must be held to account wherever and whenever possible. Unfortunately, the spammers will be probably not be deterred and we are likely to see a renewed assault on our inboxes before long.
