Entries are included for several types of terms: Except for the last two types above, each definition is intended to be complete in itself, and many definitions also include links for further information.
The Anti-Phishing Working Group (APWG) takes reports about phishing, investigates, researches, educates, and helps set standards to deal with that form of social engineering.

ASN drilldown
A drilldown pie chart by ASN that shows how much of the observed score for this organization came from each of its Autonomous Systems (ASs). This drilldown simply de-aggregates the aggregation to organization that was performed by the project; it does not reveal any detail within the data sources.

Autonomous System (AS)
A collection of netblocks (smaller groups of IP addresses) owned by an organization. ASes are used for routing Internet traffic. See also a more detailed explanation from APNIC.

Autonomous System Number (ASN)
A numeric identifier used to identify an AS.

A collection of IP addresses known to send spam. Many organizations use these blocklists to block incoming spam. currently displays rankings derived from the CBL and PSBL blocklists, plus a composite Borda ranking constructed from those constituent rankings, comparing peer organizations, compared by industry.

Borda count

A voting system that combines multiple orders of preference into a single metric.

To make a ranking, we need some scores, and a Borda count uses other rankings as scores. In our case, we have four rankings from four combinations of data sources and metrics: CBL Volume, CBL Host, PSBL Volume, and PSBL Host.

In each individual ranking, the project orders organizations by their spam performances, with the spammiest getting rank #1. To construct the composite Borda ranking, the project takes an organization's rank k for a given ranking and gives that organization a point of n - k for that ranking. where n is the total number of organizations in the universe of all the individual rankings. The project sums these points for the individual rankings to produce the Borda count for each organization.

Top score

Organizations with higher Borda counts get higher (lower numbered) composite Borda ranks. The very highest scoring organization all n organizations gets rank 1, which is the highest rank, indicating worst spam, just as for individual rankings.

Zero score

Many organizations will have the same very low rank number for scores of zero, so all those zero-score organizations rank lowest.


In this example let's use n = 250 for the demonstration universe.

For each ranking, first we reverse the points by taking an organization's rank k and subtracting it from n, as n - k. So if an organization X ranks #30 among 250 organizations ranked in CBL Volume, the Borda points for X will be 250 - 30 = 220 for CBL Volume.

If on the other rankings X ranks #28, #220, and #118, its other points will be 250 - 28 = 222, 250 - 220 = 30, and 250 - 118 = 140. The sum of the points from each ranking is an organization's Borda score, so we add up the points for X for each ranking: 220 + 222 + 30 + 140 = 612 Borda score.

Suppose organization X has Borda points of 612, Y has 230, Z has 10, and W has 250. We sort those to get this order:

Organization   Borda score

Among those four organizations, X has the hightest score and we say it ranks highest (with the smallest rank number), while Z ranks lowest (with the biggest rank number).

A computer which has been broken into for use in a botnet.

Bot herder
A human who organizes a botnet.

A collection of compromised computers (bots) which are controled by a bot herder who rents access to them for sending spam or other miscreant purposes.

At some point in the future it might be possible, perhaps through a third party, to develop a drilldown pie chart by botnet that shows how much of the observed spam for this organization came from each botnet.

CBL blocklist

The Composite Blocking List (CBL) is a major source of spam volume and host data for the rankings:

“The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.”

See also CBL Volume and CBL Host.

CBL's blocklist is essentially the same as Spamhaus XBL.

Compare CBL rankings.

CBL Host
This Host count is the list of IP addresses from the CBL blocklist, collected daily.

CBL Volume
This Volume count we receive as a custom count of spam messages per IP address from CBL. We collect it daily and aggregate and map it to organizations.

See the specific descriptions for the Distribution, Rank, Score, and ASN drilldown charts.

Choose Rankings Classification

Reputation works best when comparing peer organizations, so enables comparing organizations as grouped by two standard industry classification codes, SIC and NAICS, in addition to comparing thousands of organizations throughout the United States (U.S.), which is the current Universe for this project.

Use the Choose Rankings Classification button to pick any or all of these comparisons to display. NAICS is the default industry classification for comparison, because it is the most current North American industry classification code.
Our traditional long-running presents top 10 CBL Volume and PSBL Volume rankings of Autonomous Systems for selected countries worldwide. See also presents composite Borda industry peer rankings of thousands of organizations in the United States and several underlying rankings. See also Source and

Compare Organizations
See Choose Rankings Classification.

Composite Borda
See Borda count.

A Distribution chart compares organizations by rank on the x axis and by score on the y axis. The subject organization is marked by HERE. Mousing over the curve shows rank and score for each organization on the curve. Remember many organizations have the same low rank (with a high number) if they have a zero score because they emitted no spam seen by the source blocklists. See also Host.


We can provide drilldowns for an organization to individual ASNs that are emitting spam. In principle, some time in the future, perhaps through a third party, it might be possible to develop further drilldowns to netblocks or specific IP addresses, or indications of which of these are infested by which botnets, including which ASNs, netblocks, or IP addresses were associated with each botnet.

If you are interested in development of such drilldowns beyond the ones already included, see our contact information.

Positive reputation. Previously there were few ways to compare organizations on security performance, so it was difficult to provide fame for good performance, although shame often arrived unexpectedly. Ongoing security comparisons of organizations using independent third-party data, as in these peer rankings using spam as a proxy for security, can provide fame by discovering which organizations have the fewest detected security problems compared to their peers, and which ones have improved the most. Organizations that rank well can use those rankings in their own marketing to retain and attract customers. This is one way these rankings provide economic incentives.


This metric is the number of unique IP addresses observed sending spam for the indicated time period.

More specifically, in the Spam score charts for CBL Host and PSBL Host, the numbers shown for each day are the total numbers of hosts for that day. However, the host numbers shown for the entire month in the Distribution chart are the sum of all the numbers for each day in that month. So for example if a single host spammed each day of a 30-day month, the total host score for that month would be 30, not 1. This calculation was chosen (instead of using a unique set of hosts per month) to be consistent with the way Volume scores are calculated.

Good reputation translates into retaining and acquiring customers (see fame), while bad reputation translates into losing customers (see shame). See also Spam and Reputation.

Incident report
Security professionals are familiar with reports of specific security incidents, in as much detail as possible, as close to the time of the incident as possible. See for example The organizational analysis provided for each organization monthly by this project is not a traditional incident report: it is about aggregate peer rankings over a month, using independent third-party data.

IP drilldown
In principle, some time in the future, perhaps through a third party, it might be possible to develop drilldowns to specific IP addresses seen spamming.

Mark to market
Recording the price or value of a financial assets according to its current market value rather than its book value.

Metric uses two metrics of spam: Host and Volume, plus the composite metric Borda count. uses only Volume.

This selector chooses the month and year to display. Only the most recent few months are currently available for display. The project uses data and analysis going back several years in statistical analysis and drilldowns.

NAICS (North American Industry Classification System)
The U.S. Census Bureau says:
The North American Industry Classification System (NAICS) is the standard used by Federal statistical agencies in classifying business establishments for the purpose of collecting, analyzing, and publishing statistical data related to the U.S. business economy.

NAICS is one way to compare organizations in

A chunk of contiguous numeric Internet addresses associated with an ASN and owned by an organization.

Netblock drilldown
In principle, some time in the future, perhaps through a third party, it may become possible to provide drilldowns to netblocks seen spamming.

Any entity that owns an Autonomous System and sends email on the Internet. An organization can own more than one AS. We only rank organizations whose ASes actually route IP addresses.

Organizational analysis
For thousands of organizations in the U.S. that own at least one Autonomous System, this project provides organizations an organizational analysis web page emphasizing peer rankings using outbound spam as a proxy for security, aggregated over the previous Month. These rankings can indicate which organizations are doing well with security, providing fame, which is a refreshing change from the unexpected shame that breaches in the news provide. Many internal security metrics exist for organizations, but those do not permit cross-organizational comparisons. Even if the metrics were comparable, each organization would have to trust all the others to produce them correctly. Using independent third-party blocklist data and metrics as these rankings do avoids those problems. There can still be problems with the data or the analysis, but those problems are not likely to be deliberately caused by the individual organizations. Thus these organizational analyses are very different from traditional reactive incident reports.

A cure for all diseases, a magic medicine, a cure-all.


Peer organizations are those that consider themselves comparable, for example by being competitors or in the same industry.

See Choose Rankings Classification.

Attempts to obtain confidential Internet user information such as usernames, passwords, and credit card details, usually by sending email pretending to be from a trusted organization or person. As our colleagues at the APWG say: "Be suspicious of any email with urgent requests for personal financial information". APWG also investigates more subtle forms of the social engineering that is phishing.

Number of people.

A thing that can be used as an indication of another thing; a substitute, stand-in, or symptom. In statistics, a proxy variable is a measurable variable used in place of a variable that cannot be measured directly. See also How are spam and underlying security related to cybercrime?

PSBL blocklist

The Passive Spam Block List (PSBL) is a major source of spam volume and host data for the rankings:

“An easy-on, easy-off blacklist that doesn't rely on testing and should reduce false positives because any user can remove their ISP's mail server from the list.”

See also PSBL Volume and PSBL Host.

Compare PSBL rankings with other rankings.

This Host count is the list of IP addresses from the PSBL blocklist, collected daily.

PSBL Volume
This Volume count we receive as a custom count of spam messages per IP address from PSBL. We collect it daily and map it to netblocks, ASNs, and organizations.

A Spam rank chart shows daily changes in the rank of a single organization for a given source. The rank is produced by comparing the scores for all the organizations in the ranking universe or for selected peers.

Rankings uses outbound spam data to derive rankings of organizations to produce peer reputation. For each individual ranking (see Source), the project adds up the metric per organization and orders the organizations by their score, with rank #1 going to the highest score. The Composite Borda ranking is composed from those individual rankings; see Borda score.

Rankv1: Rankings version 1
Version 1 (retired after April 2013) of the rankings in used a static snapshot of mappings from netblocks to ASNs derived from Team Cymru data. See Rankv2.

Rankv2: Rankings version 2 uses Version 2 of the rankings, with daily mappings from netblocks to ASNs derived from CBL and Team Cymru data.

Organizations that rank well will want to brag; those that don't will want to change.

SBL blocklist
According to Spamhaus:
“The Spamhaus Block List ("SBL") Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail.

The SBL is queriable in realtime by mail systems thoughout the Internet, allowing mail server administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending, hosting or origination of Unsolicited Bulk Email (aka "Spam"). The SBL database is maintained by a dedicated team of investigators and forensics specialists located in 10 countries, working 24 hours a day to list new confirmed spam issues and - just as importantly - to delist resolved issues.“

A Spam score chart shows daily changes in the score of a single organization.

To construct rankings we need something to compare: a score for each ranked organization. The scores we use are numbers of IP addresses (hosts), numbers of spam messages (volume), and Borda score, which is composed from other rankings. The score is like number of runs in baseball, and the team with the most runs ranks higher in the game or league. Of course, ranking higher for sending more spam or from more hosts is a dubious honor; an honor most organizations would like to shed as quickly as possible by improving their security.

Whenever a major security breach report gets into the news, an organization suffers shame. Ranking poorly may also produce such public disapproval, and far more organizations appear in these rankings than in the news media. This is one way these rankings provide economic incentives.

By contrast, traditional incident reports may help react to problems as they occur, but they are not comprehensive, consistent, frequent, or comparable enough to provide the positive incentive of fame for good or improved security.

SIC (Standard Industrial Classification)
The U.S. Census Bureau says:
The Standard Industrial Classification was replaced by the North American Industry Classification System (NAICS) starting in 1997, but several data sets are still available with SIC-based data. Both SIC and NAICS classify establishments by their primary type of activity.

SIC is one way to compare organizations in

This selector determines which data source is used in the analysis displayed in text, tables, and charts. The choices are: See also Rankings.

Unsolicited bulk email, mostly sent by botnets.

Spamhaus is a well-known anti-spam operation and is the distributor of the XBL blocklist and the SBL blocklist.
“Spamhaus tracks the Internet's spam senders and spam services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.”

Compare Spamhaus rankings. presents two sets of rankings:

Team Cymru
Team Cymru Research NFP is “a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure.”

The actual universe n for is around 9,000 U.S. organizations. That's not all the organizations in the U.S.: it's the ones which have Autonomous Systems with at least one routed IP address and for which we could find industry information. See also Borda count.

This metric is the total number of spam messages observed coming from the relevant IP addresses for the indicated time period. See also CBL Volume and PSBL Volume.

XBL blocklist
Almost entirely the same as CBL. According to Spamhaus:
“The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.”