McColo, a web hosting company, was taken offline by its network peer, Hosting Electric, after reports by Jart Armin of HostExploit and Brian Krebs of the Washington Post implicated McColo as a major host of spam.

As you can see, there has been a significant drop in spam reported to SpamCop since McColo was taken down. While likely temporary, it does indicate that the reports were accurate in their assessment.

Even as I applaud the efforts of journalists and security researchers to cut off spammers and malware purveyors at the source, I wonder about who else is negatively affected by these takedowns. Surely McColo and previously-taken-down Intercage had legitimate customers, owners of websites and/or domain names that they used for their personal blogs, their small businesses, their family photo albums, and so on. What happened to those users when their providers and their sites suddenly became unavailable? This doesn’t necessarily make it wrong to shut down the providers, as the disease (spam, malware, etc., affecting potentially millions of people) is almost certainly worse than the cure. But it does raise the question of whether we can find ways to hit the bad guys where it hurts, without also hurting innocent bystanders.

If you have thoughts on this, please let us know in the comments.

I recently blogged about two reports related to business practices of web-related companies. One of those companies, Directi, was the direct target of the KnujOn report and was mentioned in Jart Armin’s report, as well. I blogged about Directi’s response to the KnujOn report last week.

This week, Directi, KnujOn, and HostExploit (Jart’s company) released a joint statement:

In light of recent developments, Jart Armin of HostExploit.com, Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement as an accurate representation of facts, clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet.

You can read the statement for the specifics, but I want to applaud the public commitment by all three parties to working together to fight badware. So far, Jart tells us that they have removed thousands of badware and spam domains. It will be interesting to see how this plays out and, in particular, how Garth, Jart, and other members of the security community evaluate Directi’s follow-through.

Also this week, both Directi and EstDomains (which was mentioned prominently in Jart’s report) contacted us to request that we send any data about domains registered through their respective services to them so they can take appropriate action. We don’t currently analyze registrars, though we hope to sometime soon, and we will, of course, make the data available to the registrars to the extent practicable if/when we have such data.

All of this activity raises an interesting (and long-standing) question about the role of domain registrars in policing content of sites. Should a domain registrar be expected to deactivate a domain that is known to be associated with badware? If so, who is the authority that decides which sites should be taken down? How is the process kept transparent? How are errors corrected? What about legitimate sites that have been infected without the owner’s knowledge (like many of those that are in our Clearinghouse?) What about sites that are potentially "bad" in other ways, like violating local laws, perpetuating defamation, or trafficking in child pornography? Let us know what you think in the comments.