It may be a truism that “little things mean a lot,” but in the world of spam, flipping a single switch can have huge consequences that span the globe.

We saw that concept reinforced this past week when McColo Corp., an Internet hosting firm based in San Jose, Calif., had its Internet connection shut off by its upstream connectivity providers on suspicion that McColo was serving as a command and control center for various spamming “bot net” operations as well as a base of operations for various other unsavory activities.

Of course everyone, even McColo, is innocent until proven guilty. But in the days following the disconnection, global spam volumes have reportedly dropped by nearly two-thirds. I suppose it could be a coincidence...


While many in the anti-spam world had been talking about McColo for a while as a source of problems, what seems to have brought the situation to a head was public attention in a series of articles by Washington Post writer Brian Krebs.

Until Krebs began turning over the rocks at McColo and spotlighted the awful things he found, McColo had apparently managed to string along its upstream providers into keeping its connection.

While many have praised McColo’s upstream providers, Global Crossing and Hurricane Electric, for taking the action they did to disconnect the source of so many problems, many have questioned why it took so long to act. Those folks point cynically to the timing, blaming the providers for being happy to take McColo’s money until the heat became too much.

While I understand that frustration, in my experience such an interpretation is overly simplistic.

In full disclosure, I should note that I have been a customer of Hurricane Electric. I don’t have any special relationship with them other than having paid their standard rate for hosting services. I also don’t have any special knowledge of their decision-making in this case.

However, I have some idea of the way they made their decision from my years of working with ISPs and hosting companies. While it may seem satisfyingly self-righteous to say they were “just in it for the money,” I can tell you that financial upside from hosting spammers and other ne’er-do-wells is usually far less than the costs of cleaning up their messes and rebuilding the reputation of your network space.

So why do hosting companies so often seem to tolerate spammers?

First, once you graduate to the size ranks of companies like Global Crossing and Hurricane Electric, it’s nearly impossible to police every one of the thousands of customers occupying your network space. The infrastructure for monitoring their activities, even if you had a legal right to do so, would be prohibitively expensive and unwieldy.

Thus most hosting companies have to rely upon those who are being harmed by bad behavior to call their attention to it.

Second, like most business relationships, the relationship between a hosting provider and its customer is usually built around a number of critical legal terms and conditions. Those legal agreements help to set the ground rules for the relationship and form a foundation upon which both of the parties can rely in order to make important business decisions.

In a hosting and reselling environment, the reliance upon connectivity agreements is all the more important because many more companies on the downstream side may be relying upon that upstream connection in order to stay in business.

Cancelling an agreement is seldom undertaken lightly, and with all of the attendant legal liabilities of erroneously shutting down a company’s connectivity, many companies will wisely require a significant amount of evidence before they’ll invoke termination clauses instantly, without notice, or without giving their customer time to cure their problematic behavior.

This is particularly important because, in a world full of deceptive and fraudulent behavior, it can be difficult for even the most battle-tested spam investigators to suss out who’s to blame and who’s been framed.

For these reasons, I have seldom joined my colleagues in the anti-spam community in demanding that various companies be shut down upon the first hints of bad behavior. Even setting aside the legal issues, there are far too many instances in which supposedly “iron-clad” evidence of spamming turns out to be a lot more complicated and fuzzy.

I can certainly empathize with the sentiment of “unplug first and ask questions later,” but the number of occasions in which that is the appropriate response are far fewer than you might think. But when the system works, the rumors will lead to complaints, which will lead to actionable evidence, which will lead to spammers sucking dead cable.

That chain is why it’s so critically important that folks who are fighting spamming, phishing, and other illegal activities, continue to be vigilant and diligent in their evidence gathering. Sometimes all you have is circumstantial evidence, but with enough of it, even the most risk-averse ISP lawyer will sign-off on pulling the plug.

If the McColo case proves anything, it’s that sufficient evidence, even if circumstantial, can be used – by reporters or others – to point a spotlight on chronic problems. When that evidence is presented to those who are in a position to actually see what’s going on, it can sometimes even result in swift action with far reaching consequences.

The McColo case tells us that the system, as kludgy and halting as it may sometimes be, does indeed work.

At least until the bad guys find a new rock to crawl under.