Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

FTC takes down another command-and-control center

FTC takes down another command-and-control center

  • Comments 1

We all remember back in November 2008, the botnet command-and-control center hosting ISP McColo was taken offline.  Overnight, spam levels dropped by 40%.  It was one of the most significant antispam operations in the history of fighting spam.  Spam volumes eventually started climbing back and by May 2009 they were pretty back to where they were before the takedown (at least on our servers; I don’t speak for others who say they recovered earlier than that).

Last week, the FTC shut down another notorious ISP, owned by Pricewert LLC who the FTC is taking to court.  According to the claim, Pricewert does business under multiple names including 3FN and APS Telecom, and actively recruit and collude with criminals seeking to spread abuse on the internet.  This ISP is another command-and-control center so shutting it down would affect their botnet’s abilities to download instructions and spew out more spam.

I resisted commenting on this when I first about it last Thursday (June 4).  I decided to take a wait-and-see attitude to make sure that spam was actually decreasing because of this shutdown.  It is not unusual for us to see spam levels drop on a week-over-week basis, let alone day-over-day.  This happened in June 2008 and April 2008, and to my knowledge there were no other spam bot takedowns during that period.

Today, Symantec is reporting that spam levels are down 15% from last week’s levels.  Again, I decided to proceed cautiously. To verify our numbers, I took the daily average of last Friday (June 5), and this past Monday to Wednesday (June 8-10); I deliberately excluded weekends because they can skew data, especially for small time frames.  I then compared it to the previous three weeks worth of weekly data where the amount of spam we were receiving had stabilized.

Our spam volumes, and drops therein, agree with Symantec’s.  The total amount of spam that we are catching has dropped by 15% as well.  Is this random noise?  To calculate it, I determined the 30-day average and standard deviation of the day ending June 4.  I subtracted the average from the total mail and determined what proportion of the standard deviation that resulted in (in other words, I obtained the z-score) and then converted to a percentile.

The results:

Friday – 82%
Monday – 97%
Tuesday – 93%
Monday – 91%

To interpret the results, for Friday at an 82% percentile, this means that only 18% of the time do the results vary more than they did on Friday, ie, normal daily noise exceeds Friday’s level less than 18% of the time.  For Monday, it occurs less than 3% of the time (ie, less than chance).  Tuesday and Wednesday the variance occurs less than 7% and 9% respectively, but not so much that it couldn’t have occurred by chance.

It looks like this botnet takedown is affecting spam levels, at least at this early stage, and at least on Monday.

Leave a Comment
  • Please add 6 and 6 and type the answer here:
  • Post