Dare We Dream of a Spam-Free World? Security Pros Take Out One of the World’s Largest Spammers

Dealing with spam is a reality of the digital life, but there are those among us who spend their time and energy turning back the tidal wave of unwanted and in some cases dangerous metaphorical salted pork slurry.

This week, those dedicated souls took out the Grum botnet, which was the third-largest spam botnet and was responsible for 17.4% of the world’s spam traffic, according to FireEye Malware Intelligence Lab’s Atif Mushtaq.

The folks at FireEye, in cahoots with researchers at SpamHaus and CERT-GIB, detailed their unified efforts to shut down Grum once and for all. The full story is a long one, but here’s the short version: FireEye et al. had to identify Grum’s command and control (CnC) coordinates, determine if it had a fallback mechanism (and if so, kill it), and find the geological location of the CnC servers. They found three master CnCs and five backups, which were located in Panama, Russia, and the Netherlands.

Grum server locations

The Dutch stepped up and took down Grum’s Netherlands servers, and shortly thereafter, the Panamanian ISP that owned the servers there after (so says FireEye) it “buckled under the pressure applied by the community”. That left only the server located in Russia.

After the Grum people replaced the downed servers with new ones in the Ukraine, however, FireEye sought assistance from Spamhaus, CERT-GIB, and others, who got contacts in that country to convince an upstream provider to cut Grum’s traffic off. Score one for the good guys.

However, just as every good story has a bit at the end that leads to a sequel, there’s a small detail that indicates there’s more work to be done. FireEye noted that although Grum (until this week) was the third-largest spammer and had recently accounted for nearly a fifth of the world’s spam, back in January it was number one with 33.3% of the stuff. It had already been supplanted by the Cutwail botnet, which means that there are other spammers out there growing by leaps and bounds.

Even so, FireEye’s Mushtaq is optimistic that not only can spam be reduced, it can be eliminated. In his own words, posted on the FireEye blog:

Can we dream of a junk-free mailbox? Guess what—it's just a few takedowns away. In my opinion, taking down the top three spam botnets—Lethic, Cutwail, and Grum—is enough for a rapid and permanent decline in worldwide spam level. We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well.

Good luck, Atif. We’ll all be pulling for you.