The process began when researchers blocked the botnet's command servers in the Netherlands and Panama on Tuesday. Grum's administrators acted quickly to restore the server, and shortly thereafter had set up new command servers in Russia and Ukraine. Researchers were still hot on their trail, and Militpas, Calif.-based security firm FireEye along with UK-based anti-spam group SpamHaus worked with Russian security experts to take down Grum again on Wednesday morning.
Grum's reach is immense: some 120,000 IP addresses were known to be sending spam before the researcher's action. That had been reduced to some 21,505 known spamming IPs after the takedown. It is thought the rest of these IPs will stop sending spam as they no longer have any active control.
This week's actions are important overall in the fight against spam because it shows that countries that normally have been viewed as "safe havens" for spammers are now taking a role in the fight against the problem.
"There are no longer any safe havens", FireEye researcher Alif Mushtaq says. "Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time".
While there still remain several active botnets out there sending quite a bit of pharmaceutical spam, and Grum itself is not dead yet, this week's effort sends a message to spammers worldwide. You can run, but you can't hide -- and now the places where you thought you were safe are not so safe anymore.
"Keep on dreaming of a junk-free inbox", Mushtaq muses.