Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Impact on Cutwail of 3FN shutdown

2009-06-16 21:41:00 UTC, by Quentin Jenkins
Recent News Articles

Network Hijacking on the Rise

Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs

More Domain Stats: The 10 Most Abused Registrars

SBL/ZEN DNS lookups to return DROP/eDROP status

Spamhaus Presents: The World's Worst Top Level Domains

Verizon Routing Millions of IP Addresses for Cybercrime Gangs

Brazilian internet users suffer SoftLayer's security fail

Network under attack? You might be surprised where that's coming from!

Older News Articles:
Spamhaus News INDEX

There is nothing like a visual representation to show how botnet spam traffic dries up when a major eastern European run host (in this case, USA routed) of the botnet Command & Control systems (C&C) is shut down. Below is a report from the CBL botnet spam detection system on the effect of a recent shut down.
These graphs are the total number of spams (per second) detected as being sent by the Cutwail SpamBots at one of our larger (but not nearly largest) spamtraps. See graphical representation of total spamtrap flow for how this compares to total spamtrap flow.

There are two sets of graphs included here, that of "Cutwail" and "Cutwail2". Cutwail2 is a newer version of Cutwail, and is included first because it is the higher volume. "Ordinary" Cutwail has been in existance for at least two years, the latter for the past half year or so. We detect them separately, so we present graphs for each of them.

This is intended to give an indication of the overall Cutwail flow and how it was affected by the 3FN shutdown, which caused the shutdown of most or all of the Cutwail "Command and Control" (C&C) servers. See Krebs on FTC's shutdown of 3FN

As can be seen, the 3FN shutdown caused an immediate precipitous collapse in Cutwail-emitted spam, particularly the Cutwail2 variety - which had completely disappeared for two intervals in excess of 8 hours. However, as it was only one SpamBot family of many, its collapse is not particularly apparent in total spamtrap flow.

The shutdown of McColo was far more apparent in total flow simply because it was the shutdown of (or severe damage to) the C&C for the top 5 or 6 SpamBot networks all at once.

It is also readily apparent that Cutwail2 is struggling to get back on its feet. Cutwail2 has recovered to about 1/4 of its former volumes as of the date of this snapshot. "Ordinary" Cutwail never did vanish completely, but does not appear to be recovering yet.

The upsurge in Cutwail2 appears to be due to new C&C servers being established at other providers.

The Y axis is detections per second.

The X axis is the date/time in GMT. This snapshot was taken Tuesday, June 9th, 2009.

The Spamhaus Project works with CBL and appreciates the effort put forth by the CBL team in creating this break down of the Cutwail botnet numbers post the 3FN, Pricewert, APS Telecom, APX Telecom, et. al. shut down. Original CBL link. A copy of the US Federal Trade Commision's complaint can be found at this link at the Washington Post (PDF).

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Impact on Cutwail of 3FN shutdown

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy