McColo takedown: Vigilantism or Neighborhood Watch?
- — 18 November, 2008 08:27
"Surely McColo and previously-taken-down Intercage had legitimate customers, owners of websites and or domain names that they used for their personal blogs, their small businesses, their family photo albums, and so on," Weinstein wrote. "What happened to those users when their providers and their sites suddenly became unavailable?"
McColo hosted a staggering variety of cybercrime activity, according to a group of researchers who said they had investigated and documented the company's practices for more than two years. In addition to Web sites that spewed out huge quantities of spam, McColo is alleged to have hosted child pornography and counterfeit pharmaceutical sites as well as the command and control servers for some of the Internet's biggest botnets.
The company was kicked offline last Tuesday after The Washington Post provided its upstream service providers with information about McColo's alleged hosting of spammers and other cybercrooks. According to an entry in the Post 's Security Fix blog by reporter Brian Krebs, the information was gathered from security researchers over the past four months.
Benny Ng, director of infrastructure at Hurricane Electric, an ISP that was one of the McColo's service providers, said that his company's decision to pull the plug on the company was based solely on what it was given by the Post . "We were informed of what was going on, so we went to our router and just turned their ports off," Ng said.
According to Ng, the decision was a straightforward and perfectly legal one because what McColo was doing was completely against Hurricane Electric's terms of service. "Having a company like McColo on your network doesn't look good," he said. "As an operator of an international Internet backbone service, you just can't have that."
The fear of ending up on an Internet blacklist is also a powerful motivator in such cases. Several groups and companies -- including StopBadware.org, The Spaumhaus Project, HostExploit.com and Castlecops -- maintain extensive lists of Web sites and domains that are allegedly associated with spamming, rootkits, adware, spyware, phishing and other threats.
The blacklists are used by many security vendors and corporate IT departments as part of their efforts to block spam and other malware. As such, ending up on one or more of the lists can have drastic consequences for an ISP or Web site. And sometimes, all it takes for a service provider to end up being blacklisted is for a handful of its customers to be identified as spammers, according to an executive at a hosting firm who asked not to be named.
"You could have thousands of customers, out of which one is a spammer," the executive said. "Those lists could still say, 'We believe XYZ is a service provider that sponsors spam. We don't like you and we won't let others talk to you.'" He added that there often is little transparency into the rules used by blacklist groups to determine what constitutes a spammer, and that it sometimes can be hard to get off of the lists in a timely manner. "They basically have you over a barrel," the executive said. "So yes, we do pay attention to them."