IP address reputation, BorderWare

[Denis Croombs]

> While this is slightly off topic, it's likely of interest to 
> most of us here.
> 
> Today I attended a webinar on fighting image spam which was 
> put on by a company called BorderWare. BorderWare makes 
> rack-mount antispam devices, amongst other things. The 
> webinar was pretty good and had some great statistics and 
> such. One of the themes of the discussion was "reputation 
> analysis" where they say that not only should we check a 
> sender's IP address to see if it's blacklisted, but also 
> should check what that IP's track record is--for viruses, 
> spam, malformed messages, etc. You can manually do this 
> yourself at bsn.borderware.com.
> 
> Here's the interesting/disturbing part: when I looked up our 
> "brand spankin new" mail server's IP address, I see we're not 
> doing so well and that 87.5% of all our mail is to bad 
> recipients. After getting up off of the floor and sitting 
> back down in my chair, I started going over things. Have we 
> been compromised? Is there a bad PHP script somewhere? 
> Did our hosting provider give us an IP that was formerly used 
> by a spammer? No to all questions.
> 
> Turns out, it's the sender address verification milter we've 
> got running at the MTA level. I ran a couple of reports that 
> indicate that yes, about 87% of inbound email never makes it 
> in to the inbound queue, so their data is correct. Obviously, 
> in order to verify that an address exists, our server 
> initiates an email to the recipient's mail server and finds 
> out immediately that either the user is rejected or the 
> system is going to accept an email for that user, and based 
> on that information, we either allow the message in to the 
> inbound queue for further processing or reject it.
> 
> As a result of all of this, BorderWare's network of 
> appliances out there that all report our server's activity 
> back to the mothership that sees all these bad recipients and 
> gives our server a less than stellar report indicating that 
> we're likely spamming. Not good.
> 
> So I phoned the company and talked to some sales guy about 
> this. After looking up our IP and talking with me, he told me 
> that it's a bad idea to have our server "perform these 
> actions". I went over some stats with him and explained why 
> it's so important that we do the address verification and 
> that furthermore, their system shouldn't be penalizing 
> white-hat mail servers that are actively protecting their 
> users from bad stuff. At first he said that perhaps this is 
> just a difference in philosophy, but at the end agreed to go 
> talk with someone and get back to me. I suggested that there 
> are a lot of mail servers that do sender address 
> verification, and they're unlikely to stop using this 
> incredibly powerful tool just because BorderWare thinks that 
> it's a bad idea. My hope is that they'll either remove this 
> from their scoring system or change their weighting formula.
> 
> What do you guys (and gals) think?

I have always felt that address verification was worse that spammers and
will never deal with people who use it.

Regards

Denis