McColo and the Difficulty of Fighting Spam
It may be a truism that “little things mean a lot,” but in
the world of spam, flipping a single switch can have huge
consequences that span the globe.
We saw that concept reinforced this past week when McColo
Corp., an Internet hosting firm based in San Jose, Calif.,
had its Internet connection shut off by its upstream
connectivity providers on suspicion that McColo was serving
as a command and control center for various spamming “bot
net” operations as well as a base of operations for various
other unsavory activities.
Of course everyone, even McColo, is innocent until proven
guilty. But in the days following the disconnection, global
spam volumes have reportedly dropped by nearly two-thirds. I
suppose it could be a coincidence...
While many in the anti-spam world had been talking about
McColo for a while as a source of problems, what seems to
have brought the situation to a head was public attention in
a series of articles by Washington Post writer Brian Krebs.
Until Krebs began turning over the rocks at McColo and
spotlighted the awful things he found, McColo had apparently
managed to string along its upstream providers into keeping
its connection.
While many have praised McColo’s upstream providers, Global
Crossing and Hurricane Electric, for taking the action they
did to disconnect the source of so many problems, many have
questioned why it took so long to act. Those folks point
cynically to the timing, blaming the providers for being
happy to take McColo’s money until the heat became too much.
While I understand that frustration, in my experience such
an interpretation is overly simplistic.
In full disclosure, I should note that I have been a
customer of Hurricane Electric. I don’t have any special
relationship with them other than having paid their standard
rate for hosting services. I also don’t have any special
knowledge of their decision-making in this case.
However, I have some idea of the way they made their
decision from my years of working with ISPs and hosting
companies. While it may seem satisfyingly self-righteous to
say they were “just in it for the money,” I can tell you
that financial upside from hosting spammers and other
ne’er-do-wells is usually far less than the costs of
cleaning up their messes and rebuilding the reputation of
your network space.
So why do hosting companies so often seem to tolerate
spammers?
First, once you graduate to the size ranks of companies like
Global Crossing and Hurricane Electric, it’s nearly
impossible to police every one of the thousands of customers
occupying your network space. The infrastructure for
monitoring their activities, even if you had a legal right
to do so, would be prohibitively expensive and unwieldy.
Thus most hosting companies have to rely upon those who are
being harmed by bad behavior to call their attention to it.
Second, like most business relationships, the relationship
between a hosting provider and its customer is usually built
around a number of critical legal terms and conditions.
Those legal agreements help to set the ground rules for the
relationship and form a foundation upon which both of the
parties can rely in order to make important business
decisions.
In a hosting and reselling environment, the reliance upon
connectivity agreements is all the more important because
many more companies on the downstream side may be relying
upon that upstream connection in order to stay in business.
Cancelling an agreement is seldom undertaken lightly, and
with all of the attendant legal liabilities of erroneously
shutting down a company’s connectivity, many companies will
wisely require a significant amount of evidence before
they’ll invoke termination clauses instantly, without
notice, or without giving their customer time to cure their
problematic behavior.
This is particularly important because, in a world full of
deceptive and fraudulent behavior, it can be difficult for
even the most battle-tested spam investigators to suss out
who’s to blame and who’s been framed.
For these reasons, I have seldom joined my colleagues in the
anti-spam community in demanding that various companies be
shut down upon the first hints of bad behavior. Even setting
aside the legal issues, there are far too many instances in
which supposedly “iron-clad” evidence of spamming turns out
to be a lot more complicated and fuzzy.
I can certainly empathize with the sentiment of “unplug
first and ask questions later,” but the number of occasions
in which that is the appropriate response are far fewer than
you might think. But when the system works, the rumors will
lead to complaints, which will lead to actionable evidence,
which will lead to spammers sucking dead cable.
That chain is why it’s so critically important that folks
who are fighting spamming, phishing, and other illegal
activities, continue to be vigilant and diligent in their
evidence gathering. Sometimes all you have is circumstantial
evidence, but with enough of it, even the most risk-averse
ISP lawyer will sign-off on pulling the plug.
If the McColo case proves anything, it’s that sufficient
evidence, even if circumstantial, can be used – by reporters
or others – to point a spotlight on chronic problems. When
that evidence is presented to those who are in a position to
actually see what’s going on, it can sometimes even result
in swift action with far reaching consequences.
The McColo case tells us that the system, as kludgy and
halting as it may sometimes be, does indeed work.
At least until the bad guys find a new rock to crawl under.