OT: IP address reputation, BorderWare

[Chris Yuzik]

Hi Everyone,

While this is slightly off topic, it's likely of interest to most of us 
here.

Today I attended a webinar on fighting image spam which was put on by a 
company called BorderWare. BorderWare makes rack-mount antispam devices, 
amongst other things. The webinar was pretty good and had some great 
statistics and such. One of the themes of the discussion was "reputation 
analysis" where they say that not only should we check a sender's IP 
address to see if it's blacklisted, but also should check what that IP's 
track record is--for viruses, spam, malformed messages, etc. You can 
manually do this yourself at bsn.borderware.com.

Here's the interesting/disturbing part: when I looked up our "brand 
spankin new" mail server's IP address, I see we're not doing so well and 
that 87.5% of all our mail is to bad recipients. After getting up off of 
the floor and sitting back down in my chair, I started going over 
things. Have we been compromised? Is there a bad PHP script somewhere? 
Did our hosting provider give us an IP that was formerly used by a 
spammer? No to all questions.

Turns out, it's the sender address verification milter we've got running 
at the MTA level. I ran a couple of reports that indicate that yes, 
about 87% of inbound email never makes it in to the inbound queue, so 
their data is correct. Obviously, in order to verify that an address 
exists, our server initiates an email to the recipient's mail server and 
finds out immediately that either the user is rejected or the system is 
going to accept an email for that user, and based on that information, 
we either allow the message in to the inbound queue for further 
processing or reject it.

As a result of all of this, BorderWare's network of appliances out there 
that all report our server's activity back to the mothership that sees 
all these bad recipients and gives our server a less than stellar report 
indicating that we're likely spamming. Not good.

So I phoned the company and talked to some sales guy about this. After 
looking up our IP and talking with me, he told me that it's a bad idea 
to have our server "perform these actions". I went over some stats with 
him and explained why it's so important that we do the address 
verification and that furthermore, their system shouldn't be penalizing 
white-hat mail servers that are actively protecting their users from bad 
stuff. At first he said that perhaps this is just a difference in 
philosophy, but at the end agreed to go talk with someone and get back 
to me. I suggested that there are a lot of mail servers that do sender 
address verification, and they're unlikely to stop using this incredibly 
powerful tool just because BorderWare thinks that it's a bad idea. My 
hope is that they'll either remove this from their scoring system or 
change their weighting formula.

What do you guys (and gals) think?

Cheers,
Chris