Outbound spam as a proxy for organizational security
Which organizations send the most spam?
Even seasoned network executives, managers, and engineers don't know.
This research project answers that question by correlating
outbound spam blocklist data to Autonomous Systems owned by organizations.
Publishing the resulting rankings provides incentives for organizations
to do better about dealing with outbound spam.
All data are provisional, and all results are tentative.
However, a track record is building; see
These rankings illustrate at least two kinds of organizational incentives:
organizations that rank well will want to brag
about that in their own marketing, while organizations that rank poorly
have incentive to get better so their reputation will improve.
- good reputation translates into retaining and
acquiring customers, while bad reputation translates into losing customers.
Nobody wants to do business with a bank or hospital or hosting company that's a spam haven.
These rankings help provide the transparency that has been missing
for the Internet to self-govern itself as a commons.
Policy implications include release of more security information
for further reputational rankings for further security improvements.
See also Cloud.SpamRankings.net
Beyond Spam to Security
“Once the machine is compromised, the
botnet herders can add it
to its spam-spewing botnet....”
—Fahmida Y. Rashid,
“The poor security
measures that invite spammers to do things like this are also responsible
for data theft....”
All Spammed Up
Outbound spam indicates botnets, botnets indicate vulnerabilities,
and vulnerabilities indicate susceptibility to other malware,
including phishing, DDoS, and other malware,
so outbound spam is a proxy for poor organizational security
on the part of any Email Service Provider (ESP),
that is, any organization that sends email
(not just ISPs),
regardless of whether the ESP is a bank, a university, or a hospital.
“We're not trying to solve the spam issue.
We're trying to deal with the broader issue of whether companies
should publicly report security issues.”
Prof. Andrew B. Whinston,
“I applaud this effort, and hope that it gains traction.”
Krebs on Security