Outbound spam rankings as a proxy for organizational security
Spam as a sneeze for infosec disease

See NSF Grants
1228990, 0831338
Home | Rankings Method | Glossary | About the Project | New and News | RSS | FAQ | Contact
News 24 July 2014: Anti-Spamming Website Helps Companies Cut Outbound Spam

About this Research Project


July 2015 Rankings: New to LACNIC top 10: #6 ANT-AS , #8 TELESC , #9 ADSIB , #10 Axtel .


Frequently Asked Questions (FAQ)

Technical Questions

The total volume of spam seems pretty low, for a one month period. What are the units?
Mouse over or click on Volume for this definition: Volume is the total number of spam messages observed coming from all the IP addresses for an Autonomous System for the indicated time period.
Are the volume numbers total or for the end of the month?
The volume numbers in the tables and pie and bar charts are cumulative for the entire month. The volume numbers in the line graphs are for each day in the month.
I understand this data is not real-time, but....
We collect blocklist data and process it into rankings every day. Over time we will be releasing weekly and daily rankings in addition to the monthly rankings. Meanwhile, the line graphs show every day for the months released.
How do you know it's not just an organizational newsletter and not one hijacked by spam botnets?
The blocklists determine that, so you'd have to ask them for their specific techniques. The rankings currently on all use data from CBL.

Blocklists generally use spamtraps on IP addresses to which nobody would ever send a legitimate newsletter, because there are no real users there to subscribe.

In addition, for many of the IP addresses CBL lists, CBL notes the most likely botnet according to known botnet signatures. One form of drilldown analysis we do is to compare total volume counts from CBL for a given ASN with volume counts from specific botnets for that ASN. Especially for low volume ASNs, such as medical, they match pretty closely.

Will your rankings always all be derived from CBL data?
Nope. We have prototypes for additional rankings from half a dozen other blocklists.
How do I get my organization out of the rankings?
Stop letting spam out. If you're still being listed by the relevant blocklist, contact them to delist.
How do I stop outbound spam?
Simple steps such as patching every computer's software up to date, teaching users to use real passwords, and teaching users not to fall for phishing, will go a long way towards keeping botnets from getting in and thus preventing spam from getting out. Such basic infosec hygiene will benefit the organization, because it will then be less susceptible to other malware and exploits, such as identify theft.
What else can I do to clean up my organization's network?
Most organizations check to see if doors are locked at night, and similarly they should do regular internal network port sweeps to see which ports users have left open that miscreants may try to exploit. Most organizations log outbound email by source and destination. Check to see if some internal source is suddenly sending to many external destinations. Don't interconnect guest and internal networks. Here is a best practices papers by cisco, and a collection of best practices papers from SANS.

Ranking Questions

Why medical organizations?
Medical organizations have enough spam volume to make a good initial example. Comparing similar organizations is important, because that's what produces peer pressure: organizations, like people, care about how they look compared to the competition. See Spam and Reputation.
A nurse asked: Why are medical organizations sending so much spam?
They're not deliberately sending the spam, although their computers are. As Fahmida Y. Rashid explained in
"Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose."
You and I know that it's botnets that send most spam, so why should we care if a nurse is confused?
If even the people who work there don't understand the difference, the general public won't, which gives the ranked organizations incentive to fix their problems. And their security problems could let other malware in. If a bank or hospital has spamming botnets, how does anyone know their bank accounts or medical records are safe?
Why are hospitals so much more susceptible to spamming botnets than other organizations?
It's not clear they are. ISPs send far more spam; see the World All rankings. We will be publishing rankings of other organization types.
Spam? Who cares?
That's not the issue. The issue is: "the hospital's computers have been compromised."

This answer quoted from Jane commenting on "Naming & Shaming Sources of Spam" by Brian Krebs. She adds:

"I feel it's wishful thinking to decide the spam-bot must just be on some insignificant computer that wasn't worth protecting but the computers that matter to ME are locked down like Fort Knox."
Does spam affect patient care?
As commenter Jane wrote on "Naming & Shaming Sources of Spam" by Brian Krebs:
"Spam does not affect patient care. Compromised computers can affect patient privacy, cost, and care.

No, consumers don't tend to make decisions based on these sort of indicators, especially when they're hurt or sick. Children aren't born knowing to look both ways before chasing a ball into the street, either. They have to learn."

And what if customers don't learn to make such decisions and organizations don't stop outbound spam?
As Sue Walsh put it in The Horn:
"If a company or organization makes it on the site it means their IPs have found their way onto a blacklist for sending spam. Spammers love to find open proxies and unprotected FTP accounts and often use a company's servers to host a botnet's command and control servers. Last year both Twitter and Amazon fell victim to this. The poor security measures that invite spammers to do things like this are also responsible for data theft, as Sony, Citigroup and Epsilon have found out the hard way." alone won't stop data theft, but it does provide a good comparative indicator that your organization may have problems to fix.

Reputation Questions

If companies react to spam reputation, will they suppress other kinds of problems?
Probably, since the same vulnerabilities that let spamming botnets in are exploitable by other malware, so cleaning up those vulnerabilities should prevent or remove other kinds of problems as well.
Why do people seem so little interested in accurate data about spam and cybercrime, especially from government, law enforcement, and industry?
We think it's because Internet users are not demanding it as customers. That's because users don't know which organizations are sending spam. They don't know because organizations don't release such data because they don't want their customers complaining. Fortunately, there is publicly available data about every organization in the world: anti-spam blocklist data. That's what collates to networks to make organizational rankings. We can all watch to see how much reputation will change the situation.
Can this reputational rankings idea spread to other data about the Internet?
Yes. As Brian Krebs put it:
"I applaud this effort, and hope that it gains traction. I remain convinced that the Internet community would benefit from a more comprehensive and centralized approach to measuring badness on the Web. There are many existing efforts to measure reputation and to quantify badness online, but most of those projects seek to enumerate very specific threats (such spam or hacked Web sites) and measure the problem from a limited vantage point. What is lacking is an organization that attempts to collate data collected by these disparate efforts and to publish that information in near real-time."
What's next for
More rankings, of different types of organizations, for different countries, from other data sources, and composite rankings.
Will you be making available a Wordpress widget for syndication?
We're working on it. Stay tuned.
What should become longterm?
Longterm, should turn into a standalone ranking agency like Moody's or S&P. Except not dependent on interviews and cooperation, since uses blocklist data. If you don't want us to rank you, don't let spam out!