Home / News

Spam Volumes Dropped by Two-Thirds After Major Spam Hub Shut Down

The volume of junk e-mail sent worldwide plummeted on Tuesday after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline, reports Brian Krebs of The Washington Post today.

"Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day."

Graphs shows the number of messages submitted as spam along with the number of reports consumated regarding those messages in a 24 hour period. These numbers now reflect only a small fraction of total spam being processed by SpamCop, but they are still representative of the total. Source: Spamcop.net

During October, an average of 190 billion spam messages were sent daily, said Nilesh Bhandari, a product manager at IronPort, a messaging security company. Yesterday, however, the hourly average dropped to 112 billion, resulting in a 41% decline.

Read full story: The Washington Post

By CircleID Reporter – CircleID's internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Re: Spam Volumes Dropped by Two-Thirds After Major Spam Hub Shut Down By Fergie  –  Nov 12, 2008 9:11 pm PDT

I would also recommend reading the HostExploit.com research whitepaper on the activities observed in McColo:


...and it becomes very clear the sort of "badness" that was occurring there.


- ferg

mccolo never lost connectivity? By Carl Byington  –  Nov 13, 2008 10:29 am PDT

From looking at the bgp logs, it seems that mccolo never lost connectivity. They brought up a new connection via Los Nettos before dropping (or being dropped by) HE.

show ip bgp
7397 226 26780

Re:mccolo never lost connectivity? By Fergie  –  Nov 13, 2008 12:47 pm PDT

@Carl Byington

Not sure where you came up with that — McColo is dead in the water, routing-wise:

Hello, this is zebra (version 0.95a).
Copyright 1996-2004 Kunihiro Ishiguro.

route-views2.routeviews.org> sho ip bgp
BGP routing table entry for
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
3277 3216 3549 26780 from (
Origin IGP, localpref 100, valid, external, best
Community: 3216:3000 3216:3004 3277:3216 3549:4151 3549:30840
Last update: Thu Nov 13 15:19:33 2008

8001 10910 22212 26780 from (
Origin IGP, localpref 100, valid, external
Community: 8001:1000 8001:1008 65010:300
Last update: Wed Nov 12 16:16:20 2008



Tracing route to over a maximum of 30 hops

1 2 ms 1 ms 1 ms


4 12 ms 23 ms 49 ms pos-0-4-0-0-ar01.sfsutro.ca.sfba.comcast.net [68
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * ^C

- ferg

> Not sure where you came up By Carl Byington  –  Nov 13, 2008 6:30 pm PDT

> Not sure where you came up with that

From a bgp speaking router.

> BGP routing table entry for
> 3277 3216 3549 26780

Your own test via routeviews shows them connected via as3549 gblx.net.

Or am I missing something? Many systems don't respond to traceroute or ping.

Re: > Not sure where you came up By Fergie  –  Nov 13, 2008 6:52 pm PDT

For all intents and purposes, McColo is "off the air".

- ferg

up and running today By Carl Byington  –  Nov 14, 2008 4:48 pm PDT

host canadianpharmacycorp2.com
canadianpharmacycorp2.com has address

curl http://canadianpharmacycorp2.com/welcome.php 2>/dev/null | grep TITLE

License Pharmacy Online

Add Your Comments

 To post your comments, please login or create an account.




Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Domain Management

Sponsored byMarkMonitor