Posted on Wednesday, November 12th, 2008 | Bookmark on del.icio.us

Third “Bad ISP” Disappears — McColo Gone

by Jose Nazario

The third rogue ISP on our common list of badness sources – McColo – has up and disappeared. In our own database we have been tracking a few dozen botnets that phoned home to McColo IPs as well as nearly 1000 distinct URLs from hudreds of different malcode samples. These guys ran a dirty operation.

It looks like McColo’s CIDRs went off the air at about 9 AM US Eastern on 10 November:

208.66.192.0/22
208.72.168.0/21
208.72.173.0/24
65.19.154.0/25

You can get some insight into the AS paths and the updates using BGPlay from Routeviews.

Picture 1.png

No word yet on how many spam zombies are gasping for air. A spot check of my inbox shows little, if any, slow down of spammy badness. With McColo gone off the air, I do not suspect I’ll find little to do in the coming weeks, months, and year, the badness they hosted will simply move.

We’ll be keeping an eye on these prefixes to see where they pop up next. Have a look at the old CIDRs used by Atrivo/Intercage to get an idea of other bad ASNs …

Edited on 14 Nov 2008 to note that McColo didn’t dissolve (ie stop being a business) but instead was removed from the Internet, it disappeared.

Popularity: 1% [?]

This entry was posted on Wednesday, November 12th, 2008 at 5:57 am and is filed under Botnets, Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses | Add your own



Comment Post by: SitePoint » Big Victory in Fight Against Spam: Major Spam Host Axed — November 12th, 2008 @ 2:42 pm EST  Reply

[...] weeks, months, and year, the badness they hosted will simply move,” wrote Jose Nazario a Arbor Networks, a web security [...]

Comment Post by: FVB > McColo Spam Botnets Taken Down to Chinatown — November 13th, 2008 @ 11:32 am EST  Reply

FVB > McColo Spam Botnets Taken Down to Chinatown…

“I will be watching you and if I find that you are trying to corrupt my first born child, I will bring you down, baby. I will bring you down to Chinatown.” — Jack Byrnes, Meet the Parents

A San Jose, CA hosting company, McColo Corp, that many sec…

Comment Post by: Jonathan — November 14th, 2008 @ 9:09 pm EST  Reply

I wonder how long its gonna take before they find a new home and the botnets’ C&Cs come back online. I can just think of so many place where they could move, whether is Eastern Europe, Middle East or Asia Pacific…Especially since they just dissapeared, it’s not like they have been arrested or something…

Comment Post by: lamapper — June 4th, 2009 @ 7:16 pm EST  Reply

You read my mind Jonathan, I too want to know that, anyone have a URL with information, specifically on what day after this event that the SPAM levels returned to their previous levels?

Comment Post by: SPAM Hosting Company Gets Shut Down. — August 31st, 2011 @ 11:25 pm EST  Reply

[...] Nazario of Arbor Networks, a company that monitors botnet activity, speculated that McColo vanished at around 9 a.m. Eastern time on November 10. Botnets are frequently used to [...]

Leave a Comment