UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers

In a public "name and shame" experiment, University of Texas researchers launched SpamRankings.net to publicize which medical facilities have been hijacked by spammers.

A team of academic security researchers at the University of Texas launched a new Website to identify names and addresses of organizations that are helping send out spam.

SpamRankings is a new initiative from the Center for Research in Economic Commerce at the University of Texas at Austin. The site will publicize "spam havens," or organizations that have been hijacked by spammers to unwittingly take part in the spam-distribution operation. The site founders are hoping the publicity will pressure organizations to improve security enough to remove them from spam distribution networks and reduce at least in some small way spam volumes.

Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose.

"Nobody wants to do business with a bank or hospital or Internet hosting company that has been hijacked by spammers," said center director Andrew Whinston.

SpamRankings can also be used to assess what kind of security measures the organization may have in place. If the organization has a high spam score, then it is possible there are other security vulnerabilities and heightened risk for other malware, phishing scams, distributed denial-of-service attacks and identity theft, Whinston said.

The group's initial focus will be on health care providers that appear to be infected by spam bots. Future version of the project will focus on other industry verticals, such as banking and Web hosting.

SpamRankings currently reflects May data and has historical data for March and April. For the month of May, SpamRankings identified Korea Telecom as the biggest spam haven in the world, followed by India's National Internet Backbone. However, drilling down to just health care organizations, it appears that Belgium's WIN Authonomous System was the most prolific spam sender in May. April's lead-runner, Cedars Sinai Health Systems, a non-profit hospital and research facility in Los Angeles, ranked the second highest among global institutions and highest among health care organizations in the United States.

Cedars Sinai managed to reduce the spam volumes for the first few weeks in May, even reaching zero on May 9, but on May 28, spam volumes sent from the hospital had catapulted near to the top. On May 31, Cedars Sinai was responsible for more than 10 times more spam than North Kansas City Hospital Auxiliary, the second most prolific spam-sender that day.

"U.S. medical organizations weren't letting out nearly as much spam in May as in previous months," the researchers wrote on the site. There was still enough spam activity to make them wonder what other security problems these organizations may have, they said.

The researchers put together the initial list based on the Composite Block List, a Website which tracks Internet addresses that have been observed to send spam. The site provides the information by domain, by country and even as a monthly report of the most active botnets. However, it is difficult to extrapolate organization information from the CBL data. Researchers worked with Team Cyrmu, an organization that tracks cyber-crime activity to analyze and correlate the IP addresses in CBL's massive data set to correctly identify organizations.

Organizations can use CBL's lookup and removal tool on the Website to remove themselves from the list after resolving the problem.