This author has long sought to shame Web hosting and Internet service providers who fail to take the necessary steps to keep spammers, scammers and other online ne’er-do-wells off their networks. Typically, the companies on the receiving end of this criticism are little-known Internet firms. But according to anti-spam activists, the title of the Internet’s most spam-friendly provider recently has passed to networks managed by IBM — one of the more recognizable and trusted names in technology and security.
In March 2010, not long after I began working on my new book Spam Nation: The Inside Story of Organized Cybercrime, From Global Epidemic to Your Front Door, I ran a piece titled Naming and Shaming Bad ISPs. That story drew on data from 10 different groups that track spam and malware activity by ISP. At the time, a cloud computing firm called Softlayer was listed prominently in six out of 10 of those rankings.
In June 2013, Softlayer was acquired by IBM. (Update: Oct. 31, 11:43 p.m. ET: As reader Alex and others have pointed out, another ISP listed prominently in this chart below — ThePlanet — is now also part of IBM/Softlayer).
Softlayer gradually cleaned up its act, and began responding more quickly to abuse reports filed by anti-spammers and security researchers. In July 2013, the company was acquired by IBM. More recently, however, the trouble at networks managed by Softlayer has returned. Last month, anti-spam group Spamhaus.org listed Softlayer as the “#1 spam hosting ISP,” putting Softlayer at the very top of its World’s Worst Spam Support ISPs index. Spamhaus said the number of abuse issues at the ISP has “rapidly reached rarely previously seen numbers.”
Contacted by KrebsOnSecurity, Softlayer for several weeks did not respond to requests for comment. After reaching out to IBM earlier this week, I received the following statement from Softlayer Communications Director Andre Fuochi:
“With the growth of Softlayer’s global footprint, as expected with any fast growing service, spammers have targeted our platform. We are aggressively working with authorities, groups like The Spamhaus Project, and IBM Security analysts to shut down this recent, isolated spike. Just in the past month we’ve shut down 95 percent of the spam accounts identified by Spamhaus, and continue to actively eliminate this activity.”
But according to Spamhaus, Softlayer still has more than 600 abuse issues still unaddressed. Spamhaus says it is true that Softlayer has been responding to its abuse complaints, but that the scammers and spammers are moving much faster.
In a blog post published earlier this month, Spamhaus explained that the bulk of the trouble appears to have come from cybercriminal customers in Brazil who have been rapidly registering large numbers of domain names daily tied to fake but plausible-sounding companies or organizations.
“This Brazilian malware gang was so active that many listed [Softlayer Internet] ranges were being reassigned to the same spam gang immediately after re-entering the pool of available [Internet] addresses,” Spamhaus explained. “After observing the same [Internet] address ranges being reassigned repeatedly to the same spammers, Spamhaus contacted the SoftLayer abuse department and told them that [Spamhaus listings] for these specific issues would not be removed until SoftLayer was able to get control of the overall problem with these spammers.”
Spamhaus said it doesn’t known why Softlayer is having this problem, but it has a few guesses.
“We believe that SoftLayer, perhaps in an attempt to extend their business in the rapidly-growing Brazilian market, deliberately relaxed their customer vetting procedures,” the organization posited. “Cybercriminals from Brazil took advantage of SoftLayer’s extensive resources and lax vetting procedures. In particular, the malware operation exploited loopholes in Softlayer’s automated provisioning procedures to obtain an impressive number of IP address ranges, which they then used to send spam and host malware sites. Unfortunately, what happened to Softlayer can easily happen to any ISP that makes certain unwise choices.”
IBM/Softlayer did not comment on those allegations. But as I show in my book, Spam Nation, spammers and malware purveyors continuously seek out and patronize ISPs and hosting providers which erect the fewest barriers to rapidly setting up massive numbers of scammy sites simultaneously.
It is true that if you make it harder for spammers to operate, they don’t just go away; rather, they move someplace else where it’s easier to ply their trade. But there is little reason that these Internet bottom feeders should have made a home for themselves at a company owned by IBM, which bills itself as the fastest growing vendor in the worldwide security software market. Physician: Heal Thyself!
Update, 10:39 p.m. ET: Since this story was published, I heard from Cloudmark, another company which tracks global spam activity. According to Cloudmark, SoftLayer’s network (Autonomous System Number AS36351) was the largest source of spam in the world in Q3 2015. Cloudmark researchers also observed that a whopping 42 percent of all outbound email from SoftLayer was spam. “Current spam layers from SoftLayer are 600 percent higher than they were one year ago,” the company said in an email to KrebsOnSecurity. “Legitimate email volume is also up 180 percent, indicating an overall rapid growth in terms of outbound email.”
Update: 1:00 p.m. ET, Nov. 5: Looks like Softlayer has finally dropped off the Spamhaus Top 10 list. Here’s hoping this article helped in some small way to speed up that process.