About the project:

Your organization's outbound spam score and league rankings

Your customers care about the security of their information. Cloud.SpamRankings.net provides reputation to let you and your customers see how your organization compares among its competitors in information security.

Spam is one symptom of underlying security problems, so if your organization lets less outbound spam out than its competitors, it looks better than its peers. You can see how your organization ranks with the simplicity of sports scores and the underlying detail of batting averages and league rankings, so you can tell if there is room for security improvements. Like in baseball, football, and soccer, the higher the season score, the lower the rank number, right up to #1 for top ranking. For cloud.SpamRankings.net, #1 means most spam, which actually means worst performance. It's like a World Series or World Cup that nobody wants to win.

If your organization ranks high on outbound spam, customers may wonder if there are potential problems with availability or even identity theft. People in general may also wonder if they risk infection by merely browsing the website of computer a poorly ranked organization.

The reputation produced by these rankings provides economic incentives for ranked organizations to improve their security and keep it that way. Those that succeed can even use these rankings in their marketing to attract and retain customers.

Cross-organizational identification and detection

These rankings let each organization see how well it is doing compared to its peers. They provide the cross-organizational identification and detection that has been missing from the numerous internal organizational security methods, policies, procedures, and metrics.

Peer rankings go beyond merely reacting to bad reputation from one-time events by revealing which organizations do better. Since they show comparisons before poor security results are announced on the news, and possibly before vulnerabilities are exploited for something worse than spam, these rankings enable prevention.

These rankings can be viewed in several ways. You can choose among two standard industrial classifications (NAICS or SIC), or among all ranked organizations in the United States.

How can you use this information?

As an organization, these rankings let you know whether you have spam problems, so you can fix them. You can watch the rankings over time to see whether they are fixed after you make changes.

The best way to stop outbound spam is to address the underlying security problems that let the spammers in. Since most spam is sent through botnets, ejecting any botnet infestation and fixing the vulnerabilities the bot herders used to get in would be a good path forward. Ranked organizations can use the rankings to make their own security processes more dynamic and proactive, thus protecting and rebounding better.

As a customer or potential customer, you can use these security rankings as factors in choosing where to spend your money.

How are spam and underlying security related to cybercrime?

Just as a fever indicates being sick, spam is a sign of security problems. While spam is merely one form of cybercrime, it is a proxy for the underlying vulnerabilities that permit other cybercrimes. Most spam is sent from computers compromised by botnets or phishing. The same security problems that let those problems in could be used for worse things, ranging from denial of service attacks, to identity theft, to blackmail, to alteration of financial records.

You can see how your organization's rankings have changed day to day to see what security measures have actually made a difference in the outbound spam escaping. Over months, you can also see which botnets are no longer infesting your networks.

Customers and the public will also be watching.

Data Source Details

We derive these rankings from publicly-available data sources that use information the ranked organizations have already released to the outside world. We do not depend on surveys, and we do not look inside any private network.

In particular, our main data sources are anti-spam blocklists that collect lists of addresses of spamming computers. Specifically, we use data from the CBL and PSBL blocklists. In addition to their host lists, we also use volume information, which is numbers of spam messages seen from each spamming address, and CBL also provides us information about botnets.

Our main ranking is derived by a composite Borda count from four constituent rankings, each of which has its own advantages. You can select the Borda count or any of the constituent rankings individually with the Source selector at the top of the organizational analysis page.

These rankings are very different from previous efforts in many ways, including their data sources and the composite Borda count. See the FAQ for more on the novelty of these rankings, which compare peer organizations using metrics that cross all organizational types and provide reputational incentives for improved security.

Is there more information beyond the rankings?

Yes, we provide drilldowns for an organization to individual ASNs that are emitting spam.

Which organizations are ranked?

These reputational rankings cover every organization in United States with at least one active Autonomous System (AS), although we do not yet publish information on all of them. We will probably cover the rest of the world in future rankings.

SpamRankings.net

These rankings of thousands of organizations go well beyond our long-running top-10 ASN rankings in Classic.Classic.SpamRankings.net. Both use the same underlying data, and much of the same informational analysis, with very different presentations.

Acknowledgements and Disclaimer

We are a small grant-supported research project at the Center for Research in Electronic Commerce at the McCombs School of Business of the University of Texas at Austin.

NSF

This material is based upon work supported by the National Science Foundation under Grants No. 1228990 and 0831338.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Data Sources

We also gratefully acknowledge custom data from CBL, PSBL, Spamhaus, the University of Texas Computer Science Department, Quarterman Creations, and Team Cymru. None of them are responsible for anything we do, either.