The Organization for Economic Cooperation and Development (OECD) has released new research into the role that broadband Internet Service Providers (ISP) around the world can play in helping to mitigate the impact of Botnet's (i.e. Trojan / Malware infected computers), which SPAMMERS abuse to spew out approximately 83.4% of all junk email (Symantec’s MessageLabs 2009 data).

Over the period 2005-2009, between 60% to 74% of all infected computers (i.e. SPAM sending IP addresses worldwide) were located within networks of around 200 ISPs in the wider OECD area. However just 50 ISPs account for half of all infected machines and the vast majority of these are legitimate providers.


Thankfully many ISPs claim that their organisations already have practices in place to tackle spam/botnets, where they contact and in some cases quarantine customers whose machines are infected with malware. Virgin Media UK has done this before, as have a few others. However the OECD warned that this practice is not as widely adopted as it could be, doesn't catch enough infected computers and no data is available to show its true effectiveness.


In other words, broadband ISPs don't have enough incentive to scale up their mitigation efforts in a way that would match the problems true size. However there is apparently no firm research available to either refute or confirm this claim.

To be fair, most UK ISPs operator off fairly thin profit margins and already have a huge weight of new government regulation bearing down upon them. In addition the report claims that ISP support costs can quickly outweigh the profit margin for a subscription. Sadly some of the third party (not OECD) suggestions for resolving this are quite controversial.

Possible Solutions

1. Asking governments to force ISPs to assume more responsibility (liability for infected machines could be assigned to the ISPs).

2. Impose statutory damages on ISPs that do not respond promptly to requests for the removal of compromised machines.

3. Subsidise the clean-up of infected machines, in what the author calls a public health approach to cybersecurity (Clayton 2010).

The final option would overcome the incentive problem, although we can't imagine many governments taking that rout. The report also admits that the problem itself, ultimately, isn't the ISPs fault. Ignoring the hackers themselves, Customers must take the bulk of responsibility for failing to keep their systems both secure and up-to-date.

As it stands this issue is unlikely to be resolve anytime soon, after all it's been a problem that governments and ISPs have tried and failed to tackle ever since dialup internet first became popular (15 years ago). On the other hand I'm sure we'd all feel a lot happier about the internet if SPAM was no longer such an annoyance. A LOT HAPPIER.