We all hate spam and are familiar with the irritation it produces. For every legitimate e-mail many of us receive, there are several spam e-mails to go along with it. It seems like a never-ending battle to stop spam on the Internet, and in some respects it is. However, security firms and other corporations have
found recent success taking down the source of spam.
Often the source for much of the spam we're hit with each day comes from botnets. In these botnets, many computers that are infected are used to send out tons of spam e-mails each day. This week security researchers have announced that the world's third-largest spam generating botnet, Grum, has been taken down. Researchers claim it was responsible for 1/5 of the world's global spam e-mail.
The servers that operated the botnet were based in Russia, Panama, and the Netherlands and were estimated to be in control of 100,000 infected "zombie" PCs or bots. According to researchers, Grum was ranked as the third largest network behind the Cutwail and Lethic spam botnets.
Grum didn't go down without a fight, however. The people behind the botnet set up six new servers for command-and-control functions of the bot PCs on Tuesday in response to servers that had been shut down in Panama. The researchers had been successful in getting the ISP hosting the CnC servers to pull the plug, which happened after Dutch authorities shut down two Grum CnC servers in the Netherlands.
"FireEye, working with Russian CERT-GIB and Spamhaus, found each of these new CnC servers, took a heavy-handed approach in working with Russian ISPs and domain registrars, and took them down as of 11am PT this morning, signaling the full shut down of the botnet," a FireEye spokesperson said.
The six new CnC servers were later taken off-line and as of July 18 at 11 AM PST, the network was dead. Spamhaus says that on average there were 120,000 Grum IP addresses sending spam each day and after the takedown number has been reduced to 21,505. The hope is that once spam templates on these machines expire, the remainder of the spam will fade.
FireEye added, "We should not take 120,000 IP addresses as the size of the Grum botnet. 120,000 IP addresses constituted only the zombies actively sending spam. In many corporate and ISP environments, outgoing email traffic is blocked by default so a big portion of the Grum botnet never sends any spam, but the bot herders use them for hosting their promotional websites."