Half the world’s spam comes from just 50 ISPs

Just 50 ISPs are responsible for the bulk of the world’s spam, a new study shows, bringing hope that it might be a little easier than expected to wipe out some of the world’s most prolific botnets.

The study, carried out for the Organization for Economic Cooperation and Development (OECD), gathered 109 billion spam messages between 2005 and 2009, emanating from 170 million unique IP addresses.

The researchers found that between 80 and 90 percent of spam arrived from an infected machine. Surprisingly, though, the networks of just 50 ISPs were found to account for half of all infections worldwide.

“To put it differently: the number of actors needed to create an impact on botnets is smaller than expected,” says the report.

These aren’t fly-by-night organizations, either, but are mainly good-sized, reputable firms.

“This is remarkable, in light of the tens of thousands of entities that can be attributed to the class of ISPs,” says the report. “The bulk of the infected machines are not located in the networks of obscure or rogue ISPs, but in those of established, well-known ISPs.”

And these worst offenders remained pretty constant over the four year study period. Indeed, 31 made it onto the list in all four years. They were distributed over 17 countries.

The authors warn that patterns of botnet activity are of course subject to constant change – “History tells us that every fortification of information security will trigger adaptations in attack strategies,” they say.

Clearly, though, focusing on these worst offenders would be an efficient way of tackling the problem. And it’s probably just a question of getting them to improve their security systems, the report says.

“The great variability between ISPs even within one set of institutional circumstances is indirect evidence for the fact that they have a considerable degree of discretion as to how they repond to security threats,” it points out. “If performance were mostly driven by institutional incentives, largely beyond the control of an individual ISP, we would expect similar performance in terms of botnet mitigation.”