Microsoft Swats Spam Server Network

Microsoft hits spamHere’s a great story for anyone suffering from inbox overload. 1.5 billion fewer spam emails will be sent today thanks to court action instigated by Microsoft.

Operation b49 was Microsoft’s codename for the investigation into Waldec, a spam bot network which controlled an estimated 90,000 PCs. The company discovered the source of the controlling servers with help from Symantec, intelligence organization Shadowserver, and the University of Washington. A lawsuit was brought against 27 unnamed criminals which sought a restraining order against 273 web domains.

The court ordered Verisign to temporarily take down the domains; the first time domain shut-downs have been used to disable spam networks. The entire operation and court action was kept secret to ensure the spammers did not switch domains, destroy evidence or initiate alternative techniques.

The bots had been responsible for sending 650 million emails to Hotmail accounts during an 18-day period in December 2009. That’s storage space Microsoft was paying for; they certainly had commercial justification for their action.

This was a worldwide problem and we scored a big, big victory.

said Richard Boscovich, the head of Microsoft’s digital crime unit.

Response from the security industry has been mixed. Several experts have stated Waldec was not a major threat and accounted for less than 1% of all spam. Anti-spam service Spamhaus reported that the action had little effect on daily traffic. It should also be noted that the Waldec-infected PCs have not been fixed; spammers could still find a way to resurrect the bots.

This victory may not win the war against spam, but everything helps. If only Microsoft could only stop spammers infecting PCs running their OS…

Have you received noticeably less spam today?

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Daniel

    At least Microsoft did something that affected the root cause, even if only a little. Firewall and Anti-virus programs only stop the problem at the computer so it won’t send out spam to other people. I’m sure that’s good for inbox of many others, but it’s not good for the people who don’t know how to get access up and going again.

    I work on a help desk, and a common response is, “Shut down your security program and turn off your computer until you can call the manufacturer to help you.”

    Well done Microsoft!

  • http://www.mikehealy.com.au cranial-bore

    Great news. Whether this reduces worldwide spam by 1% or 0.5% or 0.1% it’s nice to actually get some legal recourse against the spammers. Normally they are so anonymous and untouchable it’s frustrating that they can do what they want. Very good.

  • http://www.rwtconsultants.com israelisassi

    I think it’s great that Microsoft did this. It may not completely fix the problem but it’s definitely a move in the right direction. It would be a great move if the security companies moved from just detecting the problem to eliminating it at the root. Sure there will be more to follow, but you can learn a lot every time you take down one of these threats.

  • http://www.lunadesign.org awasson

    This is a good start. A step further would be if ISP’s scanned the ip’s under their care for signatures of bot activity to alert their clients of suspicious activity. A farm of 90,000 zombie computers packs a pretty serious amount of wallop!

  • Poo

    >> If only Microsoft could only stop spammers infecting PCs running their OS…
    Is this supposed to be funny? I suppose your an Apple or Linux fan? Wake up.
    (Comment edited to remove colorful language)

  • http://www.optimalworks.net/ Craig Buckler

    Is this supposed to be funny? I suppose your an Apple or Linux fan? Wake up.

    I use Windows — but this isn’t about what OS you, I or anyone else prefers. Spammers would have a much harder time if they couldn’t install malware on Windows.

  • http://logicearth.wordpress.com logic_earth

    I use Windows — but this isn’t about what OS you, I or anyone else prefers. Spammers would have a much harder time if they couldn’t install malware on Windows.

    It would be nice, but it does not actually matter. You see malware is just an application, like Firefox. A user willingly has chosen (very rarely is it not of a user’s action) to install that application. Is the OS going to tell the user they cannot? No. For all the OS knows is that application is just another application.

    So then what? Does Microsoft change everything and break current applications? They could but the malware will adapt. Should we all move to another platform? Could but the malware will adapt. The problem is not the OS, it is that critical piece of hardware sitting in the chair.

    But Microsoft does have a solution for stopping malware installing on the machines. Windows Defender installed and running by default on Windows Vista/Windows 7, upgradable to Microsoft Security Essentials. Both of which are free and can be installed on Windows XP.

  • http://www.optimalworks.net/ Craig Buckler

    @logic_earth
    Malware can either be identified by signature or activity, e.g. a non-email client sending a few emails on a frequent basis.

    You’re right that it’s the user who’s the biggest risk. And I suspect it’s those on older versions of Windows too. However, Unix-based OSs rarely suffer the same problems because they’re less of a target for spammers and it’s more difficult to bypass security. I doubt many of those 90,000 spambot-infected PCs are running OS X or Linux.

    But please, let’s not turn this into a Windows vs Mac vs Linux security debate! This is a positive story for Microsoft and they should be congratulated on any successful attempt at thwarting spammers.

  • http://logicearth.wordpress.com logic_earth

    Malware can either be identified by signature or activity, e.g. a non-email client sending a few emails on a frequent basis.

    Identified by a signature and activity? What you are talking about is outside the scope of the Operating System. That type of control belongs in the Anti-virus/malware space. I mean, does an email client look different compared to a non-email client sending emails out to an OS? Well technically if it is sending email then it must be an email client? But email is a concept high above the stack, to the OS it is just a network operation sending out TCP/IP packets.

    However, Unix-based OSs rarely suffer the same problems because they’re less of a target for spammers and it’s more difficult to bypass security.

    More difficult to bypass security? No that is far from true. Nothing is bypassing the security on Windows. UNIX has the advantage because average users, your mother, grand-parents, non-technical people do not run UNIX on there computers (aside from dumb down versions on Macs). But as I said, there is no bypassing of security on Windows making security irreverent.

    I know you are not wanting to turn this into some OS flame war, I’m not trying to but your own points need to be corrected. Now to truly stop malware from infecting machines we must educate the users, only they can stop it all together not software.

  • bhagwatis

    This is a good start. A step further would be if ISP’s scanned the ip’s under their care for signatures of bot activity to alert their clients of suspicious activity. A farm of 90,000 zombie computers packs a pretty serious amount of wallop! udaipur hotels

  • http://www.optimalworks.net/ Craig Buckler

    @logic_earth
    I agree with what you say about “OS scope”, but Microsoft provide a range of software (often within the OS) which has been successfully exploited by spammers to infect the underlying systems.

    We’ll never solve the issue of user naivety, but that doesn’t absolve Microsoft from working on the problem.

  • http://www.lunadesign.org awasson

    I still think this is beyond the scope of the developer of the OS be it Apple, MS or Linux… The OS has been refined to provide flexibility in the number of applications that can be run and the resources they can use and this provides hooks that script kiddies, spammers and others can use to assemble their army of bots. Although I loath Vista’s multiple question and answer process whenever I try to install a new piece of software, I doubt there is any way a piece of malicious software can get past without the explicit cooperation from the computer user. Same goes for OSX… You can not install a piece of software without providing secondary “yes, I’d like to install this” permission and the admin password.

    The average computer user doesn’t spend any time reading up on computer security or how to prevent their computer from becoming part of a Spam Bot army. I’ve even heard people just accept that their computer has been infected and wonder if they should get more ram or a faster processor so that the effect is a hijacked computer lessened. With that in mind, suggesting that the average computer owner will somehow become informed and clean up their systems is not likely.

    I think ISP’s should take a more active role in identifying and notifying their clientele of suspicious activity. You know they’re watching because they’ll damn well inform you if you go over their bandwidth restrictions. If they only concentrated on the signatures of known trojans, that would likely be half the battle.

  • pimpdon

    ok…. after reading all that you all had to say,,,,, I am sure you can help me.

    I have tried to get rid of the halmark virus from my server. It is there for sure.

    baricuda has confirmed that it is spaming from my server IP and I am getting put on black list…….. can you help ????????/?/?????//

  • http://www.lunadesign.org awasson

    Funny story…
    One of my dev servers (MS IIS) was successfully targetted by a bunch of krackers/spammers last week. They used a flaw in FrontPage extensions to gain access, transfer a bunch of files to my server’s root and even transfered a copy of PHPMyAdmin to try to get control of my MySQL database.

    Flipping FrontPage extensions… I usually have those turned those off but I had to use them a while back to back up a client’s site. I guess I never removed them after.

    As it turned out they couldn’t really do anything because my mailserver was turned off, ftp was turned off and they weren’t able to do anything with the MySQL database either but, it’s the first time we’ve been hit like this in about eight years and it wasted a good full day of productivity. Now that server is so secure it can’t even be pinged from outside the network but what a drag last Monday was : (

    @pimpdon: I thought the “halmark virus” was a hoax?? Anyway, if you really have a virus on your server, then you probably also have a trojan providing a method to access your server. This blog isn’t the best place to look for help so maybe you should be looking elsewhere. If you’re using a MS server go look at http://www.grc.com for Windows protection tools and get a couple of good firewalls and virus scanners.