The total volume of spam seems pretty low, for a one month period.
What are the units?
Mouse over or click on
Volume for this definition:
Volume is the total number of spam messages observed coming from all the
IP addresses for an
Autonomous System for the indicated time period.
Are the volume numbers total or for the end of the month?
The volume numbers in the tables and pie and bar charts
are cumulative for the entire month.
The volume numbers in the line graphs are for each day in the month.
I understand this data is not real-time, but....
We collect blocklist data and process it into rankings every day.
Over time we will be releasing weekly and daily rankings in addition to the
Meanwhile, the line graphs show every day for the months released.
How do you know it's not just an organizational newsletter
and not one hijacked by spam botnets?
The blocklists determine that,
so you'd have to ask them for their specific techniques.
The rankings currently on SpamRankings.net all use data from
Blocklists generally use spamtraps on IP addresses to which
nobody would ever send a legitimate newsletter, because there are no
real users there to subscribe.
In addition, for many of the IP addresses CBL lists, CBL notes
the most likely botnet according to known botnet signatures.
One form of drilldown analysis we do is to compare total volume
counts from CBL for a given ASN with volume counts from specific
botnets for that ASN. Especially for low volume ASNs, such as
medical, they match pretty closely.
Will your rankings always all be derived from CBL data?
We have prototypes for additional rankings from half a dozen other blocklists.
How do I get my organization out of the rankings?
Stop letting spam out.
If you're still being listed by the relevant blocklist, contact them to delist.
How do I stop outbound spam?
Simple steps such as patching every computer's software up to date,
teaching users to use real passwords,
and teaching users not to fall for phishing,
will go a long way towards keeping botnets from getting in and
thus preventing spam from getting out.
Such basic infosec hygiene will benefit the organization,
because it will then be
less susceptible to other malware and exploits, such as identify theft.
What else can I do to clean up my organization's network?
Most organizations check to see if doors are locked at night,
and similarly they should do regular internal network port sweeps
to see which ports users have left open that miscreants may try to exploit.
Most organizations log outbound email by source and destination.
Check to see if some internal source is suddenly sending to many
Don't interconnect guest and internal networks.
Here is a best practices papers by
and a collection of
best practices papers from SANS.
Why medical organizations?
Medical organizations have enough spam volume to make a good initial example.
Comparing similar organizations is important,
because that's what produces peer pressure:
organizations, like people, care about how they look compared to
See Spam and Reputation.
A nurse asked: Why are medical organizations sending so much spam?
They're not deliberately sending the spam, although their computers are.
Fahmida Y. Rashid explained in eWeek.com:
"Poor security measures are generally responsible for employee
workstations getting compromised, either by spam or malicious Web
content. Once the machine is compromised, the botnet herders can add it
to its spam-spewing botnet to send out malware to even more people. The
original employee or the organization rarely has any idea the machine
has been hijacked for this purpose."
You and I know that it's botnets that send most spam, so why should we care if a nurse is confused?
If even the
people who work there don't understand the difference, the general public
won't, which gives the ranked organizations incentive to fix their problems.
And their security problems could let other malware in. If a bank or
hospital has spamming botnets, how does anyone know their bank accounts
or medical records are safe?
Why are hospitals so much more susceptible to spamming botnets
than other organizations?
It's not clear they are. ISPs send far more spam;
see the World All rankings.
We will be publishing rankings of other organization types.
Spam? Who cares?
That's not the issue. The issue is:
"the hospital's computers have been compromised."
This answer quoted from Jane commenting on
"Naming & Shaming Sources of Spam" by Brian Krebs.
"I feel it's wishful thinking to
decide the spam-bot must just be on some insignificant computer that
wasn't worth protecting but the computers that matter to ME are locked
down like Fort Knox."
Does spam affect patient care?
As commenter Jane wrote on
"Naming & Shaming Sources of Spam" by Brian Krebs:
"Spam does not affect patient care. Compromised computers can affect
patient privacy, cost, and care.
No, consumers don't tend to make decisions based on these sort of
indicators, especially when they're hurt or sick. Children aren't born
knowing to look both ways before chasing a ball into the street, either.
They have to learn."
And what if customers don't learn to make such decisions and organizations
don't stop outbound spam?
As Sue Walsh put it in The Horn:
"If a company or organization makes it on the site it means their IPs
have found their way onto a blacklist for sending spam. Spammers love to
find open proxies and unprotected FTP accounts and often use a company's
servers to host a botnet's command and control servers. Last year both
Twitter and Amazon fell victim to this. The poor security measures that
invite spammers to do things like this are also responsible for data
theft, as Sony, Citigroup and Epsilon have found out the hard way."
SpamRankings.net alone won't stop data theft, but it does provide
a good comparative indicator that your organization may have problems to fix.
If companies react to spam reputation, will they suppress
other kinds of problems?
Probably, since the same vulnerabilities that let spamming
botnets in are exploitable by other malware, so cleaning up
those vulnerabilities should prevent or remove other kinds of problems as well.
Why do people seem so little interested in accurate data about spam and cybercrime, especially from government, law enforcement, and industry?
We think it's because Internet users are not demanding it
That's because users don't know which organizations are sending spam.
They don't know because organizations don't release such data because
they don't want their customers complaining.
Fortunately, there is publicly available data about every organization
in the world: anti-spam blocklist data.
That's what SpamRankings.net collates to networks to make
We can all watch to see how much reputation will change the situation.
Can this reputational rankings idea spread to other data about the Internet?
Brian Krebs put it:
"I applaud this effort, and hope that it gains traction. I remain
convinced that the Internet community would benefit from a more
comprehensive and centralized approach to measuring badness on the
Web. There are many existing efforts to measure reputation and to
quantify badness online, but most of those projects seek to enumerate
very specific threats (such spam or hacked Web sites) and measure the
problem from a limited vantage point. What is lacking is an organization
that attempts to collate data collected by these disparate efforts and
to publish that information in near real-time."
What's next for SpamRankings.net?
More rankings, of different types of organizations,
for different countries, from other data sources,
and composite rankings.
Will you be making available a Wordpress widget for syndication?
We're working on it. Stay tuned.
What should SpamRankings.net become longterm?
Longterm, SpamRankings.net should turn into a standalone ranking agency
like Moody's or S&P. Except not dependent on interviews and cooperation,
since SpamRankings.net uses blocklist data. If you don't want us to rank you,
don't let spam out!