Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown
However, according to numerous vendors that doesn't seem to be the case. The short-lived 15% drop in spam volume quickly returned to its usual proportions, with only two of the big botnets (Pushdo/Cutwail along with Mega-D) affected for the time being.
Here's what the vendors and their data is saying:
The company attributes the lack of visible affect on the overall spam volume due to the contingency planning applied by the botnet masters, as well as the lack of more effective cooperation with the increasingly decentralized domain registrars increasing the average time a malicious domains remains online.
Marshal8e6's TRACElabs team points out that "looking at our Spam Statistics from last week, we do see a dip down of about 15% in our Spam Volume Index (SVI), and spam originating from the Pushdo botnet indeed seems to be affected. The proportion of spam from Pushdo has dipped, along with Mega-D. Rustock seems completely unaffected."
This modest decline can also be seen through daily spam data obtained from Cisco IronPort's SenderBase, with the global spam volume clearly declining June 5th with -8% fluctuation, followed by another -22% decline on the 6th. However, the daily volume then quickly returned to its usual rate.
It should also be noted that cyber-crime friendly ISPs have feelings too, just like cybercriminals do as a matter of fact :
"At first, our technicians thought something was going wrong," said Christopher, about the sudden shutdown. He said the FTC "has ruined our reputation" and has caused loss of customers. Christopher, who says he is from Ukraine, added that he hopes the firm isn't being targeted because it has associations with Ukraine, which has gotten a bad reputation in some circles for malware distribution and online crime."
The firm is targeted due to its evident connections with key botnets and malware attacks, however, it appears that several ICQ chats obtained by the FTC offered a pretty descriptive insight into the customer relationship management practices offered by 3FN/Pricewert:
"In one of the chats obtained by the FTC, Pricewert's Head of Programming is engaged in a conversation with a customer regarding the number of compromised computers the customer controls. The customer informs Pricewert that he controls 200,000 bots and needs assistance configuring the botnet. The head of Price wert's Programming Department agrees to assist, but complains upon learning of the size of the botnet that it will require a lot of work. In a second chat, a Senior Project Manager for Pricewert is told by a customer that the customer controls a massive and rapidly growing network ofbots. Pricewert's Sales Director reassures the customer that "Well, we know how to manage it."
History repeats itself. October, 2008's disconnection of California based Atrivo/Intercage once again briefly disrupted spam levels. However, a month later, the single most successful disruption of a rogue ISP in the face of McColo, seems to have thought the botnet masters a simple lesson - don't put all your eggs in a single basket, as well as the basics of contingency planning.
With several U.S based exceptions such as for instance Layered Technologies where Rustock was running for cover following the shutdown of McColo (the company has been the de-facto hosting provider for a botnet for hire service operating for several years, among other activities), the majority of the the cybercrime-friendly ISPs are based outside the U.S, and remain the hardcore cybercriminal's hosting provider of choice.