New on the site

3 May 2012: Rankings for April 2012

Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. in rankings from PSBL data, pushing the U.S. to #1 worldwide.

5 April 2012: Rankings for March 2012

Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012.

6 March 2012: Rankings for February 2012

Back again, AS 21788 NOC took the top in U.S. rankings, joined by seven newcomers. Something is amiss in the U.S.!

8 February 2012: Rankings for January 2012

PSBL data reveals three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.

11 January 2011: PSBL October 2011 data

Several known problems with PSBL October 2011 data collection, delivery, and processing caused PSBL volume for that month to be very low and spotty. We managed to process more data since then, and have marked every October ranking as:

No PSBL data 1-5 October or 25-31 24-26 and 30-31 October.

Corresponding changes for October and November rankings from PSBL data are marked with strike-through for deletions and underline for additions. Cleveland Clinic now turns up in October for world medical and U.S. medical, also now noted in the November world medical and U.S. medical rankings.

5 January 2011: Rankings for December 2011

India spammed most worldwide, while Bank of America topped one U.S. ranking, and CyberSURF peaked in Canada, but Cleveland Clinic cleaned up its act.

5 December 2011: Rankings for November 2011

Korea led the world in spam, Comcast got pushed to third in the U.S., yet spammed the most, and Cleveland Clinic and Sutter Health fell off the wagon.

21 November 2011: Country rankings

BRICs spam the world! China is only #13, but Brazil, Russia, and India (the other three BRICs) are in the top five countries by total spam messages for October 2011.

4 November 2011: Big Churn in the U.S.

Big churn in the U.S. this month included last month's winner vanishing, Comcast retaking the topspot but with only 2 out of the top 10, and colo FDCservers.net AS 30058 joined in at number ten.

4 November 2011: Rankings for October 2011

Worldwide rankings were pretty stable, while there was big churn in the U.S. this month.

6 October 2011: Canada Stirred Up

Surprise winner Canaca-com's AS 33139 took first place in the September 2011 Canada CBL Volume rankings, while long-time winner Bell Canada's AS 577 dropped to fifth place.

6 August 2011: Medical Still Clean, But One

After the Big Drop of 14 July, all medical rankings stayed near zero, except for one; see   World rankings.

4 August 2011: The Big Drop

14 July was the Big Drop for medical rankings.   US medical rankings all went to zero, and between 17 and 24 July,   World medical rankings went from hundreds and thousands to near zero. There was no such effect in any other rankings than medical.

4 August 2011: July 2011 rankings

Comcast took five out of the top ten  US rankings.

1 August 2011: Little tables

2

AS 9208 WIN

BE

Small tables at the top of each ranking for a quick overview, with just six lines of just AS numbers and names (no organization names or URLs).

1	(-)	AS 23235 BOSMED-88-ENEWTON	US
2	(1)	AS 9208 WIN	BE
3	(2)	AS 22328 CSHS	US
4	(5)	AS 22083 MEMORIAL-HEALTH-CARE	US
5	(-)	AS 21992 SSHA-ONE-ASN	CA
6	(3)	AS 26199 NKCHA	US

The More link next to each little table leads to the big table.

1 August 2011: Labels inside bars

More legible bar graphs by putting the labels inside the bars.

26 July 2011:  BE &  TR

Astonishing rankings similarities from CBL and PSBL data, even though CBL sends us 400 times as much volume. Not just Skynet's overwhelming and growing spam dominance in  Belgium, but the next four or five ranks are the same. For and  Turkey, the orders drop off so rapidly after TTNet that rankings from PSBL data don't match CBL in the lower orders, yet many of the same organizations appear in rankings from both blocklists.

6 July 2011: PSBL volume and June

Added PSBL blocklist volume rankings to the CBL blocklist volume rankings, and updated both for June data. The PSBL rankings are similar to yet different from the CBL volume rankings. That makes eight rankings per month, with more coming.

29 June 2011:  Canadian rankings

Added May, April, and March rankings for  Canada. Shaw was ahead in March, but Bell Canada has led since then, beating challengers such as iWeb.

21 June 2011: FAQ

Added Frequently Asked Questions (FAQ).

16 June 2011: Logarithmic scale

Look below any big line chart and you'll find a link to click to change to logarithmic charts, and back to linear. Log charts make it easier to see ASNs when they have low volumes.

9 June 2011: Added In the News

Getting some nice news coverage!

7 June 2011: Rankings for May

WIN in  Belgium pulled ahead for May in the  global medical rankings, but Cedars-Sinai Health Systems in the  U.S. shot up like a rocket at the end of the month, running away with first place for the final week. Cedars-Sinai looks set to recover the all-month leads it held in April and March.

In the all- U.S. rankings, 30217 DESYNC dropped to zero from 20 May on: most impressive! Even more impressive, 20228 PACNET-MX dropped from first place to zero from 12 May onwards.

May 2011: First rankings released

As SpamRankings.net goes public, the first rankings are for the  world and for the  U.S.: all Autonomous Systems and medical ones.

Worldwide medical rankings for April 2011 show the top spamming Autonomous Systems (groups of IP addresses) as belonging to Cedars-Sinai Health Systems in the  U.S., WIN in  Belgium, and Konkuk University Hospital in  Korea. SpamRankings.net is all ears for feedback from ranked organizations.

In the News

• 09 May 2012, John S. Quarterman, Perilocity,

  An ISP snowshoes ahead in spamming

  “However, the dotted line rising to the top right that pulled the solid overall snowshoe volume line back up is not a hosting center: it's an ISP. CDM's AS 6428 appears to be operating as Primary Network, whose first services are T-1 Internet access and metro Internet. And Primary Network is not alone.”

• 4 May 2012, John S. Quarterman, Perilocity,

  Microsoft, world leader in Internet security: and spamming?

  “And of course Microsoft probably doesn't mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here's hoping they clean it up soon!”

• 26 April 2012, John S. Quarterman, Perilocity,

  Ogee snowshoe: black swan or new strategy?

  “Others say the actual spam coming out of Ogee is not the same campaigns as we've seen from botnets, so spammers are not moving over. To which I say: yet. And if snowshoe spam is big enough to change worldwide SpamRankings.net, and if it continues, that's a strategy change. We'll see how all that goes.”

• 16 April 2012, John S. Quarterman, Perilocity,

  Ogee pushed iWeb and Canada up SpamRankings.net in March 2012

  “AS 32613 IWEB-AS was far ahead of the Canadian spamming pack in the March 2012 SpamRankings.net. iWeb improved a lot towards the end of the month, but will it stay improved? AS 14366 MTNCABLE plateaued early, dropped, then took first at the end of the month. Could they have the same problem?”

• 12 April 2012, John S. Quarterman, Perilocity,

  Snowshoe spamming pushed the U.S. to #1 worldwide in March 2012 SpamRankings.net

  “But the US ASNs that got worse pushed the U.S. to #1 spamming country. The slope of that U.S. world top 10 curve for the last dozen days of March looks just like the Brinkster and CARINET ASN curves in the U.S. top 10. Very impressive, to drive the whole country into the countries top 10!”

• 12 March 2012, John S. Quarterman, Perilocity,

  Did the February 2012 spam surge come from one botnet?

  “SpamRankings.net saw a huge surge in spam from some U.S. ASNs, mostly from ones that hadn't even been in the top 10 before, with possible correlations in one ASN each from Peru and Canada. Did all this spam come from the same botnet?”

• 8 March 2012, John S. Quarterman, Perilocity,

  Big U.S. Spam Spike in February 2012 SpamRankings.net

  “In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn't place in the top 10 at all, for the first time in recent memory!”

• 16 February 2012, John S. Quarterman, Perilocity,

  Is January's medical spam caused by botnets?

  “Remember those three spamming medical organizations PSBL saw and the spike from CSHS that SpamRankings.net found in CBL data? Digging into the underlying data, and graphing them all on the same chart, we see this:”

• 15 February 2012, John S. Quarterman, Perilocity,

  CSHS is back in January 2012 SpamRankings.net

  “In SpamRankings.net, January PSBL data reveals three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.”

• 31 January 2011, John S. Quarterman, Perilocity,

  Global Crossing spam spike, November 2011

  “It looks like GBLX is infested with many botnets, but the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak on 16 Nov.”

• 5 January 2011, John S. Quarterman, Perilocity,

  India, Bank of America, and CyberSURF: December 2011 SpamRankings.net

  “ In SpamRankings.net for December 2011, worldwide India spammed the most, while Bank of America topped one U.S. ranking, and CyberSURF peaked in Canada, but Cleveland Clinic cleaned up its act.”

• 15 December 2011, John S. Quarterman, Perilocity,

  Comcast pushed out of first, yet wins November U.S. SpamRankings.net

  “AS 20214 COMCAST-20214 did spam a third less (1,503,173 spam messages) than last month (2,193,898), but it was the spontaneous spam spewing of the two top place newcomers that pushed it down to third place. Yet Comcast really won the month. It took 4 of the top 10 (places 3, 6, 7, and 10), which is twice as many as last time, and accounted for 30.29% of top 10 spam spewed, up from 23.9% last time.”

• 5 December 2011, John S. Quarterman, Perilocity,

  Cleveland Clinic spewing spam again

  “Now a couple of hundred spam messages a day isn't much by world organization standards, but compared to what we'd all like to see from medical organizations (zero), it's a lot.”

• 21 November 2011, John S. Quarterman, Perilocity,

  China does not lead Country Rankings from SpamRankings.net

  “China is only #13, but Brazil, Russia, and India (the other three BRICs) are in the top five countries by total spam messages for October 2011. U.S. is #10.”

• 15 November 2011, John S. Quarterman, Perilocity,

  What is IPWORLDNET and why is it spamming from Canada?

  “Last month's winner, Canaca-com's AS 33139 CANACA-210, came in second.
  
  From there down it's mostly the usual suspects in slightly different orders. Interestingly, longterm winner Bell Canada's AS 577 BACOM only came in fourth. This is unusual for a national telco. Maybe they're watching the rankings?”

• 10 November 2011, John S. Quarterman, Perilocity,

  Big Churn in the U.S. in October SpamRankings.net

  “All that and Numbers 2 and 3 didn't even place last month. #3 AS 25653 FORTRESSITX jumped up from about a thousand spam messages a day to more than 200,000 and then back down. #2 AS 23376 APPSERVE came up from zero on 11 October to more than 225,000, dropped back briefly to zero on 22 October, and then resumed at around 65,000 a day. Both of those cases look suspiciously like single botnet infestations.”

• 24 October 2011, John S. Quarterman, Perilocity,

  How to leverage botnet takedowns

  “Most of the paper is about effects of a specific takedown (March 2011) and a specific slowdown (December 2010) on specific botnets (Rustock, Lethic, Maazben, etc.) and specific ASNs (Korea Telecom's AS 4766, India's National Internet Backbone's AS 9829, and many others). ... The detailed drilldowns also motivate a higher level policy discussion.”

• 27 September 2011, Matt Turner, Texas Enterprise,

  Spam Spanking

  “Why publish ranked lists of spamming organizations, which most likely don't even know their computers are infected? If you knew which department store in your area had the highest theft rate, would you shop there? Perhaps, since the store's loss does not threaten you personally. But what if you knew which bank had the worst record for identity theft? Are you just as likely to be its customer? What's at stake is the level of perceived threat.

  The Spam Rankings project's leaders hope you will recognize spam as more than annoying clutter. Far from a mere nuisance, they suggest, spam is the smoke that signals a dangerous fire. Spam at its worst poses a security threat and portends infection and theft.”

• 24 September 2011, John S. Quarterman, Serpil Sayin, Andrew B. Whinston, TPRC 2011,

  Rustock Botnet and ASNs

  “Knock one down, two more pop up: Whack-a-mole is fun, but not a solution. Need many more takedowns, oor many more organizations playing. How do we get orgs to do that? ...

  Most orgs keep security problems secret because they think it will harm their reputation. Ahah! Publish reputation and they'll care.”

• 29 August 2011, John S. Quarterman, RIPE Labs,

  The Big Medical Drop in SpamRankings.net

  “The listing on your site added additional impetus to make sure we 'stay clean' so in that regard, you are successful. —Medical org. security expert”

• 20 June 2011, Samuel Greengard, CACM,

  How Much Spam Does Your Company Unknowingly Send?

  “...300 spam messages per month. Worse, these missives—fraught with malware and phishing schemes—potentially wreak havoc with computers.”

• 17 June 2011, Sue Walsh, All Spammed Up,

  University of Texas Publicizes Known Spam Havens

  “If a company or organization makes it on the site it means their IPs have found their way onto a blacklist for sending spam. Spammers love to find open proxies and unprotected FTP accounts and often use a company's servers to host a botnet's command and control servers. Last year both Twitter and Amazon fell victim to this. The poor security measures that invite spammers to do things like this are also responsible for data theft, as Sony, Citigroup and Epsilon have found out the hard way.”

• 9 June 2011, Lindsey Rattikin, The Horn,

  UT launches website to combat spam

  “Everyone knows the frustration that comes along with opening your email account only to have to sift through countless spam messages about "free iPads" or "island getaways." Just by giving your email address out to one questionable institution, your message box can become so flooded that it becomes impossible to find the emails you actually need to read. A group at the University of Texas, the Center for Research in Economic Commerce (CREC), is trying to tackle this problem, one institution at a time.”

• 8 June 2011, Fahmida Y. Rashid, eWeek.com,

  UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers

  “Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose.”

• 8 June 2011, Justin Lee, Web Host Industry Review,

  University of Texas Launches Website that Publicizes Spam Sources

  “Poor security measures lead to spam and data theft, where botnets are used to send spam using computers hijacked without the knowledge of their owners.

  And although it has yet to be proved whether people consider an organization's spam rankings when choosing a bank, health care provider, SpamRankings is certainly a useful resource to have when qualifying an organization's security measures.”

• 7 June 2011, John S. Quarterman, Perilocity,

  Krebs on SpamRankings.net

  “...organizations that do better over time may want to brag, as has happened with a couple of U.S. organizations in May.”

• 7 June 2011, Brian Krebs, Krebs on Security,

  Naming & Shaming Sources of Spam

  “I applaud this effort, and hope that it gains traction. I remain convinced that the Internet community would benefit from a more comprehensive and centralized approach to measuring badness on the Web. There are many existing efforts to measure reputation and to quantify badness online, but most of those projects seek to enumerate very specific threats (such spam or hacked Web sites) and measure the problem from a limited vantage point. What is lacking is an organization that attempts to collate data collected by these disparate efforts and to publish that information in near real-time.”

• 1 June 2011, physorg.com,

  Ranking seeks to protect internet users from data theft by exposing flagrant spam havens

  “The connection between spam and data theft is poor computer security. Spammers use what are called botnets to send spam using computers hijacked without the knowledge of their legitimate owners.”

• 1 June 2011, Team Cymru, Twitter,

  SpamRankings.net: ID'ing major #spam havens

  “uses our IP to ASN lookup service http://bit.ly/mJO0w4”

• 1 June 2011, Jessica Farrar, MCombs Today,

  New Ranking Warns Internet Users about Online Spam Havens

• 31 May 2011, myScience,

  Ranking Seeks to Protect Internet Users from Data Theft by Exposing Flagrant Spam Havens

Press Releases

Ranking Seeks to Protect Internet Users

from Data Theft by Exposing Flagrant Spam Havens

May 31, 2011 AUSTIN, Texas — The Center for Research in Economic Commerce (CREC) at The University of Texas at Austin has unveiled an initiative called SpamRankings.net, designed to protect Internet users by identifying major havens for spam.

"Nobody wants to do business with a bank or hospital or Internet hosting company that has been hijacked by spammers," said center Director Andrew Whinston. "It is an environment in which user data can be stolen or compromised."