World’s third largest spam net shut down

Taking out one fifth of all the world's spam was as simple as eliminating its leaders. 


Kevin Morris

Internet Culture

Published Jul 19, 2012   Updated Jun 2, 2021, 2:15 pm CDT

The Internet just became 18 percent more spam free.

The third largest spam network in the world, Grum, was shut down yesterday after a coordinated attack from security companies and local Internet service providers.

“Grum’s takedown resulted from the efforts of many individuals,” Atif Mushtaq, a researcher for Malware tracker FireEye wrote. “This collaboration is sending a strong message to all the spammers: ‘Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.’”

Grum worked thanks to a small group of puppet masters, which FireEye calls “command and control centers,” that controlled infected computers across the world.

The puppets spammed as their masters ordered, to massive success: The network comprised one fifth all the world’s spam.

Taking out Grum was as simple as taking out the puppet masters.

That began on July 17, when Dutch ISP’s took out two command and control centers in the Netherlands. But as soon as those were taken down, another popped up in Panama. A local ISP there caved after international pressure. But, according to Mushtaq, as soon as the Panamanian control center disappeared Grum jumped international borders again, this time spreading out to five different locations in the Ukraine.

That’s when Mushtaq called for support. Working with security company Spamhaus and Russian ISP’s, they used what a Mushtaq only described as a “heavy-handed” approach to take down the remaining command centers.

The network is still spamming, Mushtaq said, like a last surge of neurologic energy in a dead animal. But there’s a good chance that will end soon.

According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.

Mushtaq is a veteran of spam warfare, and has taken part in similar takedowns on the networks Srizbi, Rustock 1, Ozdok, and Cutwail 1. What has he learned?

When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens.

Share this article
*First Published: Jul 19, 2012, 10:23 am CDT