Outbound spam rankings as a proxy for organizational security
Spam as a sneeze for infosec disease

See NSF Grants
1228990, 0831338
Home | Rankings Method | Glossary | About the Project | New and News | RSS | FAQ | Contact
News 24 July 2014: Anti-Spamming Website Helps Companies Cut Outbound Spam

About this Research Project


July 2015 Rankings: New to LACNIC top 10: #6 ANT-AS , #8 TELESC , #9 ADSIB , #10 Axtel .


Outbound spam as a proxy for organizational security

Which organizations send the most spam? Even seasoned network executives, managers, and engineers don't know. This research project answers that question by correlating outbound spam blocklist data to Autonomous Systems owned by organizations. Publishing the resulting rankings provides incentives for organizations to do better about dealing with outbound spam.

All data are provisional, and all results are tentative.

However, a track record is building; see publications.


These rankings illustrate at least two kinds of organizational incentives:
Reputational incentives:
organizations that rank well will want to brag about that in their own marketing, while organizations that rank poorly have incentive to get better so their reputation will improve.

Economic incentives:
good reputation translates into retaining and acquiring customers, while bad reputation translates into losing customers. Nobody wants to do business with a bank or hospital or hosting company that's a spam haven.

These rankings help provide the transparency that has been missing for the Internet to self-govern itself as a commons.

Policy implications include release of more security information for further reputational rankings for further security improvements.


See also


Beyond Spam to Security

“Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet....”
Fahmida Y. Rashid,

“The poor security measures that invite spammers to do things like this are also responsible for data theft....”
Sue Walsh, All Spammed Up

Outbound spam indicates botnets, botnets indicate vulnerabilities, and vulnerabilities indicate susceptibility to other malware, including phishing, DDoS, and other malware, so outbound spam is a proxy for poor organizational security on the part of any Email Service Provider (ESP), that is, any organization that sends email (not just ISPs), regardless of whether the ESP is a bank, a university, or a hospital.

“We're not trying to solve the spam issue. We're trying to deal with the broader issue of whether companies should publicly report security issues.”
Prof. Andrew B. Whinston, McCombs Today

“I applaud this effort, and hope that it gains traction.”
Brian Krebs, Krebs on Security


The Principal Investigator is Professor Andrew B. Whinston of the University of Texas at Austin. Whinston has advised over 100 graduate students and has a rich source of potential research collaborators in relating existing business theoretical literature to these new organizational forms and to empirical data. In 2011 he was rated as the most influential scholar in the Information Systems field by the h-index which measures scholarly influence.

Gene Moo Lee is a Ph.D. student in UT Austin Computer Science who designed and reimplemented the dataflow pipelines for the rankings. Before joining the PhD program, he was a research staff in Samsung Electronics from 2006 to 2010. He received an MA degree in Computer Science from UT Austin in 2006 and a dual BS degree in Computer Science and Mathematics from Korea University in 2004.

Shu He is a Ph.D. student in the Department of Economics at the University of Texas at Austin. She received a Bachelor of Economics in 2011 from Peking University in Beijing, China. She is involved in the experiment design and statistical analysis.

Ying-Yu Chen is a Ph.D. student of Computer Science and a Research Assistant at the University of Texas at Austin. He does software engineering for the project, including programming both frontend and backend systems and providing and evaluating solutions for deploying the project to the cloud. He received the B.S and M.S. degrees in Computer Science from National Tsing Hua University in Taiwan in 2006 and 2007 respectively.

Markus Iivonen is a Software Engineering student at Helsinki Metropolia University of Applied Sciences. He programs frontend and backend systems as a software engineer in this project.

Mark Varga is an undergraduate student at UT Electrical and Computer Engineering who programs the project's CRM and email sending systems, including prioritizing which email addresses to use. He also handles hardware and software upgrades.

Zeyuan Zhu is an undergraduate in UT Computer Sciences who programs alarms and alerts and manages backups.

Administrative Assistant Meredith Bethune helps coordinate everything and with incoming contacts.


Acknowledgements and Disclaimer


This material is based upon work supported by the National Science Foundation under Grants No. 1228990 and 0831338.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Data Sources

We gratefully acknowledge custom data from CBL, PSBL, John B. Chambers, Fletcher Mattox, and the University of Texas Computer Science Department, Gretchen Phillips of GPE Enterprise, Quarterman Creations, and especially Team Cymru.

Flag images are by Philippe Verdy, used under GPL 2.1.

None of them are responsible for the project, either.

For more information, see the project home page at the Center for Research in Economic Commerce at the University of Texas at Austin.