Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown

Following last week's shutdown of 3FN/Pricewert's operations by the FTC, wishful thinkers expected a major decline in the overall spam volume, with botnet masters once again caught off guard just like it happened in November, 2008 with McColo's shutdown.

However, according to numerous vendors that doesn't seem to be the case.  The short-lived 15% drop in spam volume quickly returned to its usual proportions, with only two of the big botnets (Pushdo/Cutwail along with Mega-D) affected for the time being.

Here's what the vendors and their data is saying:

According to managed e-mail and web security services vendor MX Logic, the 3FN/Pricewert shutdown "spam volumes haven't been affected at all" according to data from their Threat Operations Center, where the minor decline is pretty visible, prior to FTC's press release on the 4th of June.

The company attributes the lack of visible affect on the overall spam volume due to the contingency planning applied by the botnet masters, as well as the lack of more effective cooperation with the increasingly decentralized domain registrars increasing the average time a malicious domains remains online.

This decentralization has in fact allowed cybercriminals to centralize their bulk malicious domain registration process at cybercrime-frendly registrars such as EstDomains (Cybercrime friendly EstDomains loses ICANN registrar accreditation; ICANN terminates EstDomains, Directi takes over 280k domains - Q&A with ICANN’s Stacy Burnette).

Marshal8e6's TRACElabs team points out that "looking at our Spam Statistics from last week, we do see a dip down of about 15% in our Spam Volume Index (SVI), and spam originating from the Pushdo botnet indeed seems to be affected.  The proportion of spam from Pushdo has dipped, along with Mega-D. Rustock seems completely unaffected."

On the very same day the affected Pushdo botnet spammed a fake greeting card in an attempt to distribute the Privacy Center scareware, in an apparent attempt to signal its existence.

This modest decline can also be seen through daily spam data obtained from Cisco IronPort's SenderBase, with the global spam volume clearly declining June 5th with -8% fluctuation, followed by another -22% decline on the 6th. However, the daily volume then quickly returned to its usual rate.

Proofpoint describes the post-shutdown effect of 3FN/Pricewert on spam as "minimal", in comparison to the shutdown of McColo last year.

It should also be noted that cyber-crime friendly ISPs have feelings too, just like cybercriminals do as a matter of fact :

"At first, our technicians thought something was going wrong," said Christopher, about the sudden shutdown. He said the FTC "has ruined our reputation" and has caused loss of customers. Christopher, who says he is from Ukraine, added that he hopes the firm isn't being targeted because it has associations with Ukraine, which has gotten a bad reputation in some circles for malware distribution and online crime."

The firm is targeted due to its evident connections with key botnets and malware attacks, however, it appears that several ICQ chats obtained by the FTC offered a pretty descriptive insight into the customer relationship management practices offered by 3FN/Pricewert:

"In one of the chats obtained by the FTC, Pricewert's Head of Programming is engaged in a conversation with a customer regarding the number of compromised computers the customer controls. The customer informs Pricewert that he controls 200,000 bots and needs assistance configuring the botnet. The head of Price wert's Programming Department agrees to assist, but complains upon learning of the size of the botnet that it will require a lot of work. In a second chat, a Senior Project Manager for Pricewert is told by a customer that the customer controls a massive and rapidly growing network ofbots. Pricewert's Sales Director reassures the customer that "Well, we know how to manage it."

History repeats itself. October, 2008's disconnection of California based Atrivo/Intercage once again briefly disrupted spam levels. However, a month later,  the single most successful disruption of a rogue ISP in the face of McColo, seems to have thought the botnet masters a simple lesson - don't put all your eggs in a single basket, as well as the basics of contingency planning.

With several U.S based exceptions such as for instance Layered Technologies where Rustock was running for cover following the shutdown of McColo (the company has been the de-facto hosting provider for a botnet for hire service operating for several years, among other activities), the majority of the the cybercrime-friendly ISPs are based outside the U.S, and remain the hardcore cybercriminal's hosting provider of choice.