Does Your Email Reputation System Have a Bad Rep

The recent spike in the volume of spam traveling across the Internet, combined with the dangers of phishing and virus attacks that frequently accompany these messages, has forced enterprises to reconsider how they determine which messages will be allowed into their network. The latest advances in anti-spam technology have been enabled in part by the use of reputation services which determine the “good” and “bad” senders. There are several approaches to determining a sender’s reputation; some more effective than others.

In order to determine whether senders are “good” or “bad”, organizations must have the ability to accurately identify the sender of an email. Spammers and their ilk would prefer to hide their identities – especially for those that are engaged in open fraud such as phishing attacks. They modify email headers in an attempt to fool recipients into thinking the email is coming from a legitimate source. This practice, called “spoofing”, is a common tactic used by spammers to obfuscate their true identities.

To confront this issue, Microsoft, CipherTrust and other industry leaders have worked to create standards that allow organizations to determine whether an email is coming from a legitimate sender. To date, there continues to be debate as to which technology will prevail. Microsoft’s Caller ID (now dubbed the Sender ID Framework or SIDF) has emerged as a front-runner along with Meng Weng’s Sender Policy Framework (SPF) .

Unfortunately, merely knowing who is sending an email doesn’t necessarily stop spam. As it turns out, spammers have been early adopters of the new standards, they are better about applying for sender authentication technologies than normal corporations, and they are eager to participate!

Regardless of how many spammers adopt “honest” emailing practices, the technology to identify email senders is quickly being adopted by major ISPs and corporations. Armed with that knowledge, reputation-based filtering can have a significant impact on the level of spam in everyone’s inbox.

There are a number of methods companies use to determine whether a given email sender has a “good” reputation. Some of the most common tactics are:

By far the most costly method in terms of human resources, In-house lists require IT staff to maintain whitelists and blacklists in order to cut down on the spam problem. The difficulty with these programs is that they require that the IT staff become knowledgeable about a host of email security and spam issues, and the investment is rarely sufficient to overcome the thousands of variations of nuisances and threats posed by spammers, phishers, and other dubious email senders. By the time the administrator becomes aware of a new spam attack, the spam has already gotten onto the network, and into users inboxes.

These whitelists and blacklists are built and maintained by third party organizations for the benefit of subscribers. These lists are subject to many of the same problems faced by in-house administrators. In addition, some blacklists are maintained by vigilante groups that are quick to penalize an organization for spam; sometimes without due diligence and without giving that organization time to respond to spam charges. There is also a time-lag between when a spammer starts sending spam from a particular IP address and when the address gets added to the blacklist. By the time the services become aware of a spammers activities, the spammer has already sent millions of messages.

Two prominent examples of bonded programs are IronPort’s Bonded Sender Program and and Habeas’ Sender Warranted Email programs. These programs allow email marketers to secure bonds to certify that their email adheres to guidelines on the basis of privacy, mailing practices and issue resolution. ISPs and other mail servers can then query Bonded Sender when scanning incoming messages and handle them accordingly. However, this “pay-to-play” model is fundamentally flawed, as it gives spammers the ability to simply “buy” their way onto the list by securing a bond as a legitimate sender, regardless of whether they’re actually legitimate or not. While the cost of the bond may be prohibitive to some senders, the benefits far outweigh the costs to most spammers, as the only way the bond will be debited is if Bonded Sender receives complaints about a specific account sending spam. And really, when was the last time you or anyone you know reported receiving spam? Would you even know where to report it? In reality, spammers are paying IronPort for the right to clog your inbox.

TrustedSource is CipherTrust’s adaptive, real-time email reputation system that provides information on email sender behavior. Who sends spam? Who polices their outbound email well? TrustedSource knows. By constantly observing and analyzing email traffic across the Internet, CipherTrust identifies the "good guys.” TrustedSource provides constant updates on sender status to improve spam-fighting accuracy and allows IronMail, the secure email gateway, to achieve the highest level of accuracy in determining good email from bad.

TrustedSource servers provide data to IronMail by contributing negative values to IronMail’s Spam Profiler (SP) algorithm for messages sent from senders that are deemed reputable. Every message that passes through IronMail is checked against the TrustedSource list and based on the reply, IronMail will make a decision about whether to reduce the overall SP spam score for that message and improve its chances of not being classified as spam.

What constitutes “good behavior”
Spammer behavior changes constantly so no definitive answer is available. However, the following practices are considered “best practices” for email senders:

• Comply with the proper RFC protocols for email.
  
• Do not attempt to obscure content or messages in emails.
  
• Do not send email to unverified or nonexistent email addresses.
  
• Post privacy policies where they can be read and understood, prior to submission of a request.
  
• Offer opportunities for users to opt-out of programs.