Spam rejections jumped up on the work server at 23:00ish last (monday) night. Used to be two a second on average, dropped to 0.4 last week when McColo got cut off, crept back up to just under one over the week and jumped to 5 a second last night and up until lunchtime today when it dropped back to 3 again.

Strangely the actual level of spam that gets through to real users has hardly changed over the week, it's stuff to the random non-existent usernames at our domains that dropped and came back.

CWIE Holding are the owners and operators of ccbill.com and the hosting company CaveCreek Hosting ( http://www.cavecreek.com/ )

Would like to know how they are related to this deal...

I've been using ccbill for many years now, never had any problems.

We can't get the botnets to self-destruct. THAT would be a worthwhile goal. (*SIGH*) Maybe we can get them to only receive instructions from 127.0.0.1!

Ah, wishful thinking!

DrG, if you read the article you will know. Paris because you made the same school boy/girl error she did

Are they with virgin or bt? Enquiring minds would like to know.

That certainly does sound suspicious. Unfortunately, there probably wasn't enough research or investigation to file criminal charges against McColo's controllers. When they were cut off last Tuesday, one of my clients noticed just under a 50% drop in spam -- from an average of 81,500 per day down to 43,200 per day. I'm sure their aging mail server breathed a sigh of relief at the time.

A number of years ago, after a particularly nasty worm began spreading like wildfire, a white/grey hat created a worm that went into people's systems and downloaded the patches to plug the hole that allowed the first worm in (I forget the name of the "good" worm, perhaps one of you could remind me). While I'm certainly not in favor of unauthorized access, maybe this isn't such a bad idea. If people still can't be bothered to patch old flaws, perhaps something like that is needed. Then again, when Microsoft waits 7 years to patch a hole...

Of course, what would help even more is if these idiot high-speed ISPs didn't insist on users plugging their systems right into the network with no firewall. There should *ALWAYS* be a hardware box between your system and the modem. With dial-up modems, that wasn't possible (and quite frankly, not necessary). With cable/DSL modems, having a hardware firewall as a go-between is trivial. The question is, who will create a low-cost hardware firewall for your average consumer? Yes, cable/DSL routers do this for us, but there are still many people who plug right into the modem (using either a network cable or a USB cable). Until hardware firewalls become commonplace, we'll never get rid of botnets. No, I'm not suggesting that a hardware firewall will eliminate the problem, but it will certainly help prevent it. Eliminating unsolicited connection requests is definitely a good first step.

Uploading at 15MB per second, hell I'd be happy get a 5MB download speed!

Perhaps it would make sense to simply disconnect Russia from the Internet.

The snag is that having a firewall is not enough. Typically, most domestic firewalls allow users to connect outwards using any protocol. This allows a trojan both to send smtp mail and to collect instructions from the botnet masters by making regular connections to a server (e.g. an IRC server).

Infection is also not affected by the presence of a firewall - typical vectors include malicious incoming emails and websites that host the trojans. In both cases, the user's system has initiated an outgoing connection.

It might be useful if ISPs didn't allow users to connect with unpatched systems (other than to the sites that provide the patches) - but do the ISPs care more about SPAM or their earnings?

It definitely explains why there was a massive spike (when compared to Wednesday - Friday) in spam on Saturday, which then suddenly dropped again.

...it would be dead handy if someone like spamhaus had a list that ISPs could then block access to. Then the bots couldn't phone home. If only it could be that easy!

Well at least we have another IP range to banish, well it wasn't up long enough to re-route all the bots.

Bring on the whitehat worm :)

Chris C:

I remember years ago when Shaw Cable claimed that people using hardware firewalls were stealing internet simply because they were using one IP for multiple pieces of hardware. If you wanted local filesharing or printer sharing their solution was to purchase more IP Addresses......

I installed a hardware firewall.

Quote: "There should *ALWAYS* be a hardware box between your system and the modem. With dial-up modems, that wasn't possible (and quite frankly, not necessary)."

Yes there should.

And it was very possible and needed on Dialup & ISDN. I ran Firewalls on many sites from 1995 to 2002 for dialup connections (analogue & ISDN). These usually provided a Proxy to share and autodial the connection. It also made rogue premium rate auto-diallers toothless as the actual PCs all used ethernet. on 192.168.0.xxx

DrG asked how they are related -

Giglinx resells IP Transit for CWIE.

The IPs stay SWIPed to CWIE so that spam and abuse can be tracked and brought to their attention. (which was not done, in this case)

CCBill has nothing to do with this situation.