McColo takedown: Vigilantism or Neighborhood Watch?

Security researchers defend efforts to police Web against rogue ISPs, malware purveyors

Others, though, say that the only people really opposed to the efforts of antispam and anti-malware groups are the cybercriminals themselves and those who support them for financial gain -- such as service providers that host spam sites. In addition, in the cases of both the McColo and Intercage shutdowns, the only role the security community played was to collect evidence showing conclusively that the two companies were hosting clients involved in all sorts of criminal activity, said Garth Bruen, founder of the antispam group KnujOn.

The actual decisions to pull the plug on the hosting companies was made by their service providers, not by the security researchers, Bruen said. "That was their choice to do it," he noted. "We just gave them the information to help them make up their mind."

Such cooperation between security researchers, ISPs and hosting companies can be very useful, according to Bruen. He pointed to a "very long dialogue" that KnujOn and had with a large India-based hosting company named Directi that resulted in the latter agreeing to suspend "thousands and thousands" of domains that were allegedly being used to send spam or sell counterfeit drugs.

Almost everyone concedes that the private policing effort may not be enough to completely eradicate spammers and other cybercriminals. In fact, many operations that are shut down by one service provider often resurface a short time later at another location on the Internet. That was the case for Intercage, at least temporarily. The same thing happened with McColo, which briefly came back online on Saturday via an ISP based in Sweden.

But the anti-malware campaigns are making it costlier to run such operations, Bruen claimed. For instance, almost immediately after McColo was shut down last week, spam volumes plunged by more than 40 percent, according to researchers at IronPort Systems. The shutdown also forced operators of some of the largest and nastiest botnets in the world to relocate their operations, he and other security researchers said.

What's going on is "a little closer to vigilance than it is to vigilantism,"'s Weinstein said in an interview last week. "The researchers who are coming out with these reports are not inciting specific action against any company," he added. "What they are doing is publishing data and putting it in front of people who are making these decisions."

Often, though, it's hard to know for sure if a hosting provider is complicit in the illegal activities taking place on its networks, or the extent of its culpability for such activities if it is aware of them, Weinstein said. "That's definitely a concern," he acknowledged. "But I don't think there's an easy answer to it."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags botnetsspam

More about BackboneDialogueHarvard UniversityIronPortIronPort SystemsVIAVigilance

Show Comments