IP address reputation, BorderWare
denis at croombs.org
Thu Mar 22 22:48:19 CET 2007
> While this is slightly off topic, it's likely of interest to
> most of us here.
> Today I attended a webinar on fighting image spam which was
> put on by a company called BorderWare. BorderWare makes
> rack-mount antispam devices, amongst other things. The
> webinar was pretty good and had some great statistics and
> such. One of the themes of the discussion was "reputation
> analysis" where they say that not only should we check a
> sender's IP address to see if it's blacklisted, but also
> should check what that IP's track record is--for viruses,
> spam, malformed messages, etc. You can manually do this
> yourself at bsn.borderware.com.
> Here's the interesting/disturbing part: when I looked up our
> "brand spankin new" mail server's IP address, I see we're not
> doing so well and that 87.5% of all our mail is to bad
> recipients. After getting up off of the floor and sitting
> back down in my chair, I started going over things. Have we
> been compromised? Is there a bad PHP script somewhere?
> Did our hosting provider give us an IP that was formerly used
> by a spammer? No to all questions.
> Turns out, it's the sender address verification milter we've
> got running at the MTA level. I ran a couple of reports that
> indicate that yes, about 87% of inbound email never makes it
> in to the inbound queue, so their data is correct. Obviously,
> in order to verify that an address exists, our server
> initiates an email to the recipient's mail server and finds
> out immediately that either the user is rejected or the
> system is going to accept an email for that user, and based
> on that information, we either allow the message in to the
> inbound queue for further processing or reject it.
> As a result of all of this, BorderWare's network of
> appliances out there that all report our server's activity
> back to the mothership that sees all these bad recipients and
> gives our server a less than stellar report indicating that
> we're likely spamming. Not good.
> So I phoned the company and talked to some sales guy about
> this. After looking up our IP and talking with me, he told me
> that it's a bad idea to have our server "perform these
> actions". I went over some stats with him and explained why
> it's so important that we do the address verification and
> that furthermore, their system shouldn't be penalizing
> white-hat mail servers that are actively protecting their
> users from bad stuff. At first he said that perhaps this is
> just a difference in philosophy, but at the end agreed to go
> talk with someone and get back to me. I suggested that there
> are a lot of mail servers that do sender address
> verification, and they're unlikely to stop using this
> incredibly powerful tool just because BorderWare thinks that
> it's a bad idea. My hope is that they'll either remove this
> from their scoring system or change their weighting formula.
> What do you guys (and gals) think?
I have always felt that address verification was worse that spammers and
will never deal with people who use it.
More information about the MailScanner