- Eighteen percent of all home computers and seven percent of corporate computers are unknowingly infected with rogue programs that are responsible for sending most of the world's spam
- For the organization, outbound spam — frequently sent unknowingly by its own computers — confirms that the company’s IT security has been breached and is vulnerable
Eighteen percent of all home computers and seven percent of corporate computers harbor programs controlled by cyberthieves, according to Gunter Ollmann, head of research at Damballa, Inc., which tracks and terminates cyber-threat activity. Computers infected with these rogue programs are known as bots (short for robots), and large networks of bots, aptly called botnets, are responsible for sending most of the world’s spam. But despite sophisticated filters and even legal convictions, spam is notoriously difficult to eradicate.
Spam seems unstoppable largely because until now, spammers have been difficult to pinpoint. “Everyone knows there’s a lot of spam out there, but hardly anybody knows where it’s coming from,” says John S. Quarterman of Quarterman Creations, author of seven books about the Internet. Quarterman is also one of the team responsible for SpamRankings.net, an initiative of McCombs’ Center for Research in Electronic Commerce (CREC) whose principle investigator is McCombs Professor Andrew B. Whinston.
SpamRankings was created to track down spammers by exposing the organizations whose computers have been compromised. Whinston, with help from Quarterman and others, collects outbound spam data, extracts it by geography and type of organization for a given time period, and then ranks the resulting data by organization, complete with tables and graphs. The project is comprehensive to say the least: every organization in the world that is connected to the Internet comes under its scrutiny.
Why You Should Care About Spam
Why publish ranked lists of spamming organizations, which most likely don’t even know their computers are infected? If you knew which department store in your area had the highest theft rate, would you shop there? Perhaps, since the store’s loss does not threaten you personally. But what if you knew which bank had the worst record for identity theft? Are you just as likely to be its customer? What’s at stake is the level of perceived threat.
The Spam Rankings project’s leaders hope you will recognize spam as more than annoying clutter. Far from a mere nuisance, they suggest, spam is the smoke that signals a dangerous fire. Spam at its worst poses a security threat and portends infection and theft.
For the end-user, inbound spam can carry malicious codes used by hackers for fraud and crime. For the organization, outbound spam — frequently sent unknowingly by its own computers — confirms that the company’s IT security has been breached and the organization is susceptible to all sorts of other malware, such as phishing, which tries to trick users into supplying account numbers and passwords; DDoS, distributed denial-of-service attacks, which bring down websites by inundating them with thousands of service requests per second; and data theft, in which passwords and financial information are siphoned off and stored on other servers for later theft or blackmail.
SpamRankings to the Rescue
Whinston and Quarterman tackled the SpamRankings project by correlating obscure autonomous system numbers to network owners, and then scrutinizing the data to see which organizations were responsible for smaller subsets of Internet address space. Team Cyrmu, an organization that stalks cyber crime activity, helped the researchers with the process.
Much of the data comes from the volunteer-run Composite Blocking List, which tracks Internet addresses that have been sending spam. Separate rankings are provided using data from the Passive Spam Block List which is associated with the Spam Kamikaze software. So, while the data were being gathered all along, “nobody has been pulling them out and tying them to individual organizations on a regular basis,” says Quarterman.
Other collaborators on the project include Prof. Serpil Sayin of Koç University, Jouni Reinikainen, a research scholar, and a series of graduate students. SpamRankings is based on work at the CREC that is supported by the National Science Foundation.
Currently, SpamRankings.com is publishing monthly ranking lists. According to the most recent list, the world’s top-three worst spamming organizations by volume for August 2011 were:
|Organization||Spam Volume for August 2011|
|1. Korea Telecom||80,597,334|
|2. National Internet Backbone (India)||56,238,028|
|3. Vietnam Post and Telecommunications||53,358,409|
By identifying the top spammers in this way, the researchers hope that comsumers will avoid connecting with top-spamming companies, thus reducing the insidious emails. If this happens, the idea is that the spamming companies, wanting to protect their brand and their pocketbook, will be shamed into taking aggressive action, while the companies that do well will want to brag about their IT security.
As their creators note, SpamRankings offers a means to improve Internet security without having to create additional laws or governmental policies. “These rankings provide the transparency that has been missing from the Internet to self-govern itself as a commons” notes Whinston. While several botnet takedowns have made the headlines, spam keeps coming back. Whinston sees the rankings as providing the “ongoing visibility” needed to tackle spammers.
Terry Hemeyer, an expert in corporate crisis management, thinks the rankings will be very useful. “All smart organizations have what I call a ‘competitive intelligence’ ability, and that includes Internet monitoring and watching,” says the senior lecturer at UT’s College of Communication and previous senior executive for a Fortune 150 energy company.
But Hemeyer cautions that it’s always an issue of return on investment. Beefing up IT security can be costly, and the C-suite will wonder what the real threat of the spamming amounts to in dollars.
According to Hemeyer, a company should place the spam issue among its top 10 concerns and hire an expert consultant for an evaluation, but always with an eye on return. “Companies can’t spend hundreds of thousands of dollars on controlling spam if it might not do that much damage.”
That being said, Hemeyer agreed “if a hospital found that its patients’ personal records were being compromised, that’s going to create a firestorm very quickly!”
The rankings do show that some organizations, including hospitals, have made dramatic improvements over a few months, with some appearing to have cleaned up their spambot problem entirely.
For instance, Cedars-Sinai Health Systems, the leading hospital spammer in April, fell to third place by June. While a decrease of two ranks may not sound like much, their spam volume dropped significantly from 55,132 to 6,414, a reduction of 88 percent. By July, that reduction had widened to 95 percent. By August, Cedars-Sinai wasn’t even on the radar, with spam volume essentially near zero.
Does SpamRankings work? In commentary linked to the SpamRankings site, Quarterman noted the successes in the medical organizations’ rankings and wrote that the SpamRankings investigators had ruled out the possibility that these organizations simply managed to whitelist their netblocks on the Composite Blocking List.
The conclusion? The companies really did clean up their act partly in response to the rankings. Quarterman also noted that SpamRankings has even received a letter from one large medical group saying "The listing on your site added additional impetus to make sure we "stay clean" so in that regard, you are successful."