Internet's 'bad neighbourhoods' spread scams and spam Published duration 15 March 2013

image caption Knowing where mail comes from can help spot if it is likely to be junk or malicious

About 50% of all junk mail on the net emerges from just 20 internet service providers (ISPs), a study has found.

The survey of more than 42,000 ISPs tried to map the net's "bad neighbourhoods" to help pinpoint sources of malicious mail.

The survey by a researcher in the Netherlands found that, in many cases, ISPs specialise in particular threats such as spam and phishing.

Methods to thwart attacks and predict targets also emerged from the study.

The large-scale study was carried out to help fine-tune computer security tools that scrutinise the net addresses of email and other messages to help them work out if they are junk or legitimate. Such tools could make better choices if they were armed with historical information about the types of traffic that emerge from particular networks.

In his analysis Giovane Cesar Moreira Moura who studied at the University of Twente found that some networks could be classed as "bad neighbourhoods" because, just like in the real world, they were places where malicious activity was more likely.

Of the 42,201 ISPs studied about 50% of all junk mail, phishing attacks and other malicious messages came from just 20 networks, he found. Many of these networks were concentrated in India, Vietnam and Brazil. On the net's most crime-ridden network - Spectranet in Nigeria - 62% of all the addresses controlled by that ISP were seen to be sending out spam.

Networks involved in malicious activity also tended to specialise in one particular sort of malicious message or attack, he discovered. For instance, the majority of phishing attacks came from ISPs based in the US. By contrast, spammers tend to favour Asian ISPs. Indian ISP BSNL topped the list of spam sources in the study.

Analysis tools

Mr Moreira Moura pointed out that malicious traffic coming from one network did not reveal its ultimate source. Many cybercriminals route spam and other traffic through hijacked PCs or send it across compromised corporate networks that join the net via an ISP.

The data gathered for the study is helping to create analysis tools that will do a better job of assessing whether traffic coming from sources never seen before is good or bad. In the same way that people avoid walking through parts of towns and cities known to be dangerous, security tools can start to filter traffic from ISPs known as historical sources of malicious messages.