Read Spam Nation for Free Online

dozens of networks. Now, ISPs had to spread their security nets farther to ensure that malicious websites, botnets, and spammers couldn’t get through. But ISPs, government officials, and corporations were finally starting to pay attention to this cybercrime underworld spreading beneath their feet.
    That was the tip of the iceberg. In August 2008—almost a year after RBN was scattered to the four winds—I wrote a series about cybercrime activity concentrated a bit closer to home at a shadowy ISP called Atrivo. Like young Nikolai’s McColo, it was a Northern California-based hosting provider that had also ignored requests from law enforcement agencies and from the security community to unplug abusive websites that had become synonymous with botnet-hosting and huge numbers of sites set up to foist malicious software. I relied on the sameevidence collected by some of the security firms that had gathered data on RBN, and in particular a report from HostExploit, an organization of international respected Internet professionals dedicated to researching, exposing, and raising awareness about cybercrime.
    That series, and growing attention from other media outlets and security experts, led to Atrivo being gradually excluded from the Internet, as its partners in the ISP industry who provided connections to the larger Internet for it and its cybercriminal users were publicly shamed into severing ties with the company one by one over a period of approximately two weeks.
    One of the significant fallouts of Atrivo’s shutdown was the hastened demise of the Storm worm, an infamous botnet that had infiltrated and compromised millions of Americans’ PCs and “was once responsible for sending more than 20 percent of all spam,” I explained on the Washington Post ’s Security Fix blog on October 17, 2008. Atrivo had hosted a number of the master servers for the Storm worm; the worm discharged its final blast of spam three days before Atrivo was forced off the Internet by its final remaining Internet provider.
    A week after Atrivo went dark, I heard from a trusted source who had contacts with many unsavory individuals in the cybercrime underworld. My source said he had a message to pass on from an unnamed cybercrook who’d been mildly inconvenienced and grudgingly impressed by the organized ostracism of Atrivo I had started.
    “Tell Krebs ‘Nice job on Atrivo,’” the mysterious miscreant told my source. “But if he’s thinking about doing McColo next, he’s pushing his luck.”
    I wasn’t sure what to make of this communication, which seemed like an amused observation backstopped by a veiled threat. But by the time my source relayed that message, it was too late to turn back. I was already knee-deep in an investigation of McColo, the ISP company led by Nikolai “Kolya” McColo. It was a logical progression, mainly because many of the miscreants and botmasters who had parked their botnetand crimeware operations at Atrivo also had portions of their infrastructure hosted at McColo. And now that Atrivo was wiped off the Internet, McColo had become an even more critical bulletproof provider for the underground cybercrime community.
    On the afternoon of November 11, I sent several months’ worth of data detailing McColo’s offenses to the company’s two ISP partners that connected it to the larger Internet: Global Crossing and Hurricane Electric, both of which had headquarters in the United States. The information was arranged in a map that showed how the servers used to control all of the top five most active spam botnets—Internet-connected programs responsible for sending most of the world’s junk email—were parked at just a handful of servers in McColo’s Northern California hosting facility. I had a hunch that, once presented with the record of malicious activity there, McColo’s Internet partners would sever business ties with the hosting provider and effectively cripple it.
    Hours later, I heard from a source who