WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
We saw that concept reinforced this past week when McColo Corp., an Internet hosting firm based in San Jose, Calif., had its Internet connection shut off by its upstream connectivity providers on suspicion that McColo was serving as a command and control center for various spamming bot net operations as well as a base of operations for various other unsavory activities.
Of course everyone, even McColo, is innocent until proven guilty. But in the days following the disconnection, global spam volumes have reportedly dropped by nearly two-thirds. I suppose it could be a coincidence...
While many in the anti-spam world had been talking about McColo for a while as a source of problems, what seems to have brought the situation to a head was public attention in a series of articles by Washington Post writer Brian Krebs.
While many have praised McColos upstream providers, Global Crossing and Hurricane Electric, for taking the action they did to disconnect the source of so many problems, many have questioned why it took so long to act. Those folks point cynically to the timing, blaming the providers for being happy to take McColos money until the heat became too much.
While I understand that frustration, in my experience such an interpretation is overly simplistic.
In full disclosure, I should note that I have been a customer of Hurricane Electric. I dont have any special relationship with them other than having paid their standard rate for hosting services. I also dont have any special knowledge of their decision-making in this case.
However, I have some idea of the way they made their decision from my years of working with ISPs and hosting companies. While it may seem satisfyingly self-righteous to say they were just in it for the money, I can tell you that financial upside from hosting spammers and other neer-do-wells is usually far less than the costs of cleaning up their messes and rebuilding the reputation of your network space.
So why do hosting companies so often seem to tolerate spammers?
First, once you graduate to the size ranks of companies like Global Crossing and Hurricane Electric, its nearly impossible to police every one of the thousands of customers occupying your network space. The infrastructure for monitoring their activities, even if you had a legal right to do so, would be prohibitively expensive and unwieldy.
Thus most hosting companies have to rely upon those who are being harmed by bad behavior to call their attention to it.
Second, like most business relationships, the relationship between a hosting provider and its customer is usually built around a number of critical legal terms and conditions. Those legal agreements help to set the ground rules for the relationship and form a foundation upon which both of the parties can rely in order to make important business decisions.
In a hosting and reselling environment, the reliance upon connectivity agreements is all the more important because many more companies on the downstream side may be relying upon that upstream connection in order to stay in business.
Cancelling an agreement is seldom undertaken lightly, and with all of the attendant legal liabilities of erroneously shutting down a companys connectivity, many companies will wisely require a significant amount of evidence before theyll invoke termination clauses instantly, without notice, or without giving their customer time to cure their problematic behavior.
This is particularly important because, in a world full of deceptive and fraudulent behavior, it can be difficult for even the most battle-tested spam investigators to suss out whos to blame and whos been framed.
For these reasons, I have seldom joined my colleagues in the anti-spam community in demanding that various companies be shut down upon the first hints of bad behavior. Even setting aside the legal issues, there are far too many instances in which supposedly iron-clad evidence of spamming turns out to be a lot more complicated and fuzzy.
I can certainly empathize with the sentiment of unplug first and ask questions later, but the number of occasions in which that is the appropriate response are far fewer than you might think. But when the system works, the rumors will lead to complaints, which will lead to actionable evidence, which will lead to spammers sucking dead cable.
That chain is why its so critically important that folks who are fighting spamming, phishing, and other illegal activities, continue to be vigilant and diligent in their evidence gathering. Sometimes all you have is circumstantial evidence, but with enough of it, even the most risk-averse ISP lawyer will sign-off on pulling the plug.
If the McColo case proves anything, its that sufficient evidence, even if circumstantial, can be used by reporters or others to point a spotlight on chronic problems. When that evidence is presented to those who are in a position to actually see whats going on, it can sometimes even result in swift action with far reaching consequences.
The McColo case tells us that the system, as kludgy and halting as it may sometimes be, does indeed work.
At least until the bad guys find a new rock to crawl under.