June 05, 2009
FTC Shuts Down Rogue ISP 3FN (Triple Fiber Network) - Minimal Impact on Spam Volume
Score one for the good guys: In a press release issued yesterday, the Federal Trade Commission reported that they had shut down a rogue ISP called 3FN (Triple Fiber Network), with upstream service providers and datacenters having disconnected the ISP's servers from the Internet. Brian Krebs of the always-excellent Security Fix blog reported that this disconnection apparently happened sometime on June 2nd.
The FTC says that 3FN (also known as Pricewert LLC) was knowingly hosting and actively participating in the distribution of spam, child pornography and other malware, including fake anti-virus programs (which, far from offering protection from malware, actually install malicious code on users' machines).
The FTC has also frozen the assets of Pricewert, which "advertised its services in the darkest corners of the Internet" and distributed, amongo other things, "child pornographyphy, spyware, viruses, trojan horses, phishing, botnet command and control servers, and pornography featuring violence, bestiality, and incest."
The complaint also alleges that 3FN/Pricewert was operating botnets (which are the primary source of spam email these days) to send spam and launch denial-of-service attacks. This is one of the most common activites of "rogue ISPs" or so-called "bulletproof" hosts, so this is no surprise.
I've taken a look at Proofpoint's spam trap activity over the past week to see if the shutdown of 3FN caused any significant drop in spam volumes. From the chart (click the image in the upper left-hand corner of this post for a larger view) -- which shows hourly spam volume being received by an assortment of Proofpoint's "honeypot" spam traps -- there may have been a small impact on spam volumes earlier in the week, but it's hard to say anything conclusive. And, as you can also see, hourly spam volumes have risen slightly since June 2nd. It's important to note that spam volumes can swing quite wildly day by day and hour by hour and the fluctuations seen here are pretty typical.
It's interesting to compare the mild changes in this chart to the much more radical effect seen after the shutdown of rogue ISP McColo (see my previous blog post here)
That being said, anytime a bad actor like 3FN is disconnected from the net, it's a good thing.
More coverage of the FTC's shutdown of 3FN: