The Cleveland Clinic once again emits spam, but cleans it up quickly. Microsoft leads the U.S. and makes the U.S. lead the world in spamming for a month. And several hosting centers outspam botnet spamming with snowshoe spam for several months running.

All of this may make no sense to you. (For explanations, keep reading.) But it’s part of the everyday working language for researchers at McCombs’ Center for Research in Economic Commerce (CREC). Funded partially by a grant from the National Science Foundation, CREC researchers have toiled for a year analyzing many gigabytes of daily data on spam. The results—peer rankings of companies that have become major hosts of spam—are published monthly on the site SpamRankings.net.

"Even Microsoft, which in recent years has led in anti-spam efforts, recently showed up at the top of the U.S. top 10. If Microsoft can, anybody can," said center director Andrew Whinston. "And who wants their organization to get in the top 10, much less stay there?"

Most spammers don't send their bulk email directly from their own computers. Instead they use what are called botnets to send spam using computers belonging to legitimate organizations. SpamRankings.net daily processes anti-spam blocklist information about more than 8 million IP addresses, many of them associated with botnets.

"Botnets indicate an environment in which customer data can be stolen or compromised. Outbound spam is a proxy for poor organizational security," Whinston explained, "because outbound spam indicates botnets, botnets indicate vulnerabilities, and vulnerabilities indicate susceptibility to other malware, including phishing, DDoS, and identify theft. Spam is a sneeze for infosec disease."

Which could explain why medical organizations, which have been watching SpamRankings.net since it debuted, have begun to clean up their spam infestations quickly. Medical organizations typically only send small amounts of spam (tens, hundreds, or thousands of messages a day), but hospitals don't want any perception that their medical records or even medical equipment might be at risk. Cleveland Clinic was just the latest medical outfit to clean up its outbound spam act quickly.

Landing on the SpanRankings.net monthly list is no honor, but getting back off it quickly is. Most spam from medical organizations appears to be because a few employees fell for some phishing scheme and gave out their passwords, letting in malware. Any organization that employs people is susceptible to such attacks. Alert medical (or other) organizations can spot those computers and get them fixed quickly, and such resilience is indeed an honor, said Whinston. “Even chronic spammers such as medical contractor WIN in Belgium and Konkuk University Hospital in Korea have improved lately.”

Yet there are new wrinkles. SpamRankings.net has found spam from more than 27,500 Autonomous Systems (organizational groupings of IP addresses), and new ones with new problems keep turning up, like unexpected tornados or hurricanes.

"Lately all the organizations at the top of the U.S. top 10 got there because of snowshoe spam," said the project’s senior researcher, John S. Quarterman. "Snowshoe, unlike botnets, uses purchased Internet connections and sends large amounts of spam (hundreds of thousands of messages a day) from a small number of computers. And it's spreading, to the top of the Canadian Top 10 and elsewhere."

These discoveries by SpamRankings.net indicate that traditional methods of fighting spam and deeper IT security problems could use some augmentation.

“Takedowns of botnets make the news, but spam always comes back,” Whinston said. “For longer-term solutions we have to provide incentives for the Internet to self-govern itself, and putting reputation on the line is one way to encourage organizations to devote resources for better security measures.”