The third rogue ISP on our common list of badness sources – McColo – has up and disappeared. In our own database we have been tracking a few dozen botnets that phoned home to McColo IPs as well as nearly 1000 distinct URLs from hudreds of different malcode samples. These guys ran a dirty operation.
It looks like McColo’s CIDRs went off the air at about 9 AM US Eastern on 10 November:
18.104.22.168/22 22.214.171.124/21 126.96.36.199/24 188.8.131.52/25
You can get some insight into the AS paths and the updates using BGPlay from Routeviews.
No word yet on how many spam zombies are gasping for air. A spot check of my inbox shows little, if any, slow down of spammy badness. With McColo gone off the air, I do not suspect I’ll find little to do in the coming weeks, months, and year, the badness they hosted will simply move.
We’ll be keeping an eye on these prefixes to see where they pop up next. Have a look at the old CIDRs used by Atrivo/Intercage to get an idea of other bad ASNs …
Edited on 14 Nov 2008 to note that McColo didn’t dissolve (ie stop being a business) but instead was removed from the Internet, it disappeared.