How Much Spam Does Your Company ­nknowingly Send?

Spam has clearly emerged as a bane of the digital age. These days, a typical user receives somewhere in the neighborhood of 300 spam messages per month. Worse, these missives—fraught with malware and phishing schemes—potentially wreak havoc with computers.

Yet spam represents another, often overlooked, problem: Systems infected with botnets epitomize a serious security hazard for organizations unwittingly relaying the spam. “It raises questions about how secure a system is and what data cyberthieves can access,” observes Andrew Whinston, a professor of information systems at the University of Texas, Austin.

As a result, The Center for Research in Electronic Commerce at the University of Texas, Austin has created SpamRankings.net, a service that uses "name and shame" to publicize organizations infected with spam bots. The service culls through data to create a monthly ranking showing which organizations are the biggest offenders. Although SpamRankings started with health-care providers—among the worse spam senders, Whinston notes—it is expanding to a broader array of organizations.

“The goal is to create greater transparency,” explains John Quarterman, senior researcher for SpamRankings and CEO of InternetPerils, an organization that conducts Internet risk management services. “It’s all about reputation. No organization wants to wind up on this list.” Indeed, entities relaying spam have deeper security problems. “The protection of sensitive customer or patient data comes into question,” he explains.

SpamRankings culls data from the Composite Block List (CBL), which tracks Internet addresses sending spam. Although the CBL is a vast resource for spam information, it doesn’t break down data by organization. That’s where SpamRankings enters the picture. It correlates autonomous system numbers (ASN) with network owners and IP addresses in order to identify guilty parties.

The May 2011 list, for example, shows several prominent health-care providers, including Cedars-Sinai Health Systems, Texas Children’s Hospital, Apria Healthcare, and Cornell University Medical Center, in the top 10 spam senders.

Both the American Hospital Association and Healthcare Information and Management Systems Society say they do not track this type of problem and were unable to comment for this story.

SpamRanking’s original two-year, $350,000 NSF grant ran out at the end of May. It is now looking for additional grants and funding. Whinston hopes to expand the service through widgets and tools. Eventually, he also aims to establish a certification for organizations that are spam free.

Clearly, the project has the potential to attack spam from a completely new angle. “SpamRankings uses outbound spam as a proxy for IT security problems," says Quarterman. "If you don’t want to be ranked, don’t let outbound spam out.”

 

Samuel Greengard is an author and journalist based in West Linn, OR.