McColo was a US-based

web hosting A web hosting service is a type of Internet hosting service that hosts websites for clients, i.e. it offers the facilities required for them to create and maintain a site and makes it accessible on the World Wide Web. Companies providing web h ...

service provider A service provider (SP) is an organization that provides services, such as consulting, legal, real estate, communications, storage, and processing services, to other organizations. Although a service provider can be a sub-unit of the organization t ...

that was, for a long time, the source of the majority of spam-sending activities for the entire world. In late 2008, the company was shut down by two upstream providers,

Global Crossing Global Crossing was a telecommunications company that provided computer networking services and operated a tier 1 carrier. It maintained a large backbone network and offered peering, virtual private networks, leased lines, audio and video confer ...

and

Hurricane Electric Hurricane Electric is a global Internet service provider offering internet transit, tools, and network applications, as well as data center colocation and hosting services at 2 locations in Fremont, California, where the company is based. Accord ...

, because a significant amount of

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

and

botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...

s had been trafficking from the McColo servers.

History

McColo was formed by a 19-year-old Russian hacker and student named Nikolai. Nikolai's nickname was "Kolya McColo"; hence the name of the provider.

Malware traffic

At the time of termination of its

upstream Upstream may refer to: * Upstream (bioprocess) * ''Upstream'' (film), a 1927 film by John Ford * Upstream (networking) * ''Upstream'' (newspaper), a newspaper covering the oil and gas industry * Upstream (petroleum industry) * Upstream (software ...

service on November 11, 2008, it was estimated that McColo customers were responsible for a substantial proportion of all

email spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...

then flowing and subsequent reports claim a two-thirds or greater reduction in global spam volume. This reduction had been sustained for some period after the takedown. McColo was one of the leading players in the so-called "

bulletproof hosting Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cybera ...

" market — ISPs that will allow servers to remain online regardless of complaints. According to ''

Ars Technica ''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...

'' and other sources, upstream ISPs Global Crossing and Hurricane Electric terminated service when contacted by

Brian Krebs Brian Krebs (born 1972) is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals.Perlroth, Nicole.Reporting From the Web's Underbelly. ''The New York Times''. Retrieved February 28, ...

and ''

The Washington Post ''The Washington Post'' (also known as the ''Post'' and, informally, ''WaPo'') is an American daily newspaper published in Washington, D.C. It is the most widely circulated newspaper within the Washington metropolitan area and has a large nati ...

''’s ''Security Fix'' blog, but multiple reports had been published by organisations including SecureWorks,

FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...

and

ThreatExpert PC Tools (founded in 2003), formerly known as WinGuides.com, was a software company acquired by Symantec in 2008; the new owner eventually discontinued the PC Tools name. Company headquarters were in Australia, with offices in Luxembourg, the ...

, all naming McColo as the host for much of the world's botnet traffic. According to Joe Stewart, director of malware research for SecureWorks, the

Mega-D The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide. On October 14, 2008, the U.S Federal Trade Commission, in cooperation with Marshal Software, tracked down the owners of ...

, Srizbi,

Pushdo The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows. History In Jun ...

Rustock The Rustock botnet was a botnet that operated from around 2006 until March 2011. It consisted of computers running Microsoft Windows, and was capable of sending up to 25,000 spam messages per hour from an infected PC. At the height of its activiti ...

and

Warezov Stration (also known as Stratio and Warezov) is a family of computer worms that can affect computers running Microsoft Windows, disabling security features and propagating itself to other computers via e-mail attachments. This family of worms is un ...

botnets all hosted their master servers at McColo; numerous complaints had been made but McColo simply moved offending servers and sites to different subnets.

Spamhaus.org The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and Spam (electronic), spam-related activity. The name ''spamhaus'', a pseudo-German expression, ...

reportedly finds roughly 1.5 million computers infected with either Srizbi or Rustock sending spam in an average week. Following the shut down, details began to emerge of the ISP's other clients, which included distributors and vendors of child pornography and other criminal enterprises, including the

Russian Business Network The Russian Business Network (commonly abbreviated as RBN) is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of MPack and an alleged operator of the ...

. McColo gained reconnection briefly on November 19, 2008 via a backup connection agreement common in the industry, but was rapidly shut down again. The McColo takedown especially affected Srizbi, one of the world's largest

s, controlling 500,000 infected nodes as of November 2008. Symantec's monthly state of spam report for April 2009 stated that spamming was now back to what it was before McColo was taken offline. Due to botnets being created and old ones being brought back online, it estimated that about 85 percent of all email traffic is spam.State Of Spam for April 2009
/ref> By November 2009 the IP space used by McColo was still largely unused, as much of it was unattractive to buyers due to being widely blacklisted.

External links

Washington Post'' "Security Fix" blog

References

{{DEFAULTSORT:Mccolo Cybercrime Internet service providers of the United States Companies based in San Jose, California Companies disestablished in 2008

History

Malware traffic

See also

External links

References