Will public embarrassment cause brands to weed out botnets and tighten security? SpamRankings hopes so.
Would you avoid doing business with a company that doesn’t carefully protect its computer system from hackers? It probably depends.
If you’re buying a cheeseburger you likely don’t care about the back office’s security measures–but consider a hospital that has your social security number, credit card information and private medical records on file. If you discovered that hospital is a regular victim of computer hackers, you might reconsider your options for care, or at least raise a fuss with administrators.
Researchers at The University of Texas at Austin are conducting a spam tracking experiment to see if the threat of reputation damage will encourage organizations to improve computer security. Their laboratory tool is SpamRankings.net, a website that publicizes the world’s biggest spam havens.
Spam = Compromised Security Procedures
Poor computer security is at the heart of both spam and data theft. Spammers use what are called botnets to send spam using computers hijacked without the knowledge of their legitimate owners. Computer systems infected with botnets are likely targets for other malfeasance, including theft of data, which puts consumers at risk.
“Outbound spam is a proxy for poor organizational security,” explains Dr. Andrew Whinston, the e-commerce sage at The University of Texas at Austin, “because outbound spam indicates botnets, botnets indicate vulnerabilities, and vulnerabilities indicate susceptibility to other malware, including phishing, DDoS, and identify theft.”
Whinston and his research team wondered what would happen if they published lists of the top spam havens. Will public embarrassment cause brands to weed out botnets and tighten security?
The first step was figuring out how to identify the worst offenders using information drawn from (and I quote) “custom blocklist volume data by Composite Blocking List (CBL) using correlations of groups of IP addresses (Autonomous Systems) to organizations by Internet security research firm Team Cymru.” Got that?
Next Step, Public Humiliation
The result is a ranking of organizations based on the amount of spam that flows through their computer system.
“Obviously, landing at the top of the list is no honor,” says Whinston’s colleague John S. Quarterman. “Organizations will want to restore their reputation and take measures to protect their customers as well. Those that rank well will want to brag about it.”
I’ll watch for companies to jump on the “we have excellent placement on the Composite Blocking List” brand wagon, but I have my doubts. I suspect this will have more impact on those with reputations to save.
One can imagine Boston Medical Center isn’t pleased to be the top healthcare spammer for June 2011, and the previous spam haven champ, Cedars-Sinai seems to have cleaned up its act. So perhaps the experiment is working. (UPDATE: Primary Network has the top spot for May 2012…the list updates regularly, and tracks ups and downs.)
Meanwhile, the research team is expanding the site with new industry categories, and they’re eager to hear from organizations that land on the offender list. “We’re all ears,” claims Whinston.