OT: IP address reputation, BorderWare

Thu Mar 22 23:33:31 CET 2007

Chris Yuzik wrote:
> Hi Everyone,
> 
> While this is slightly off topic, it's likely of interest to most of us 
> here.
> 
> Today I attended a webinar on fighting image spam which was put on by a 
> company called BorderWare. BorderWare makes rack-mount antispam devices, 
> amongst other things. The webinar was pretty good and had some great 
> statistics and such. One of the themes of the discussion was "reputation 
> analysis" where they say that not only should we check a sender's IP 
> address to see if it's blacklisted, but also should check what that IP's 
> track record is--for viruses, spam, malformed messages, etc. You can 
> manually do this yourself at bsn.borderware.com.
> 
> Here's the interesting/disturbing part: when I looked up our "brand 
> spankin new" mail server's IP address, I see we're not doing so well and 
> that 87.5% of all our mail is to bad recipients. After getting up off of 
> the floor and sitting back down in my chair, I started going over 
> things. Have we been compromised? Is there a bad PHP script somewhere? 
> Did our hosting provider give us an IP that was formerly used by a 
> spammer? No to all questions.
> 
> Turns out, it's the sender address verification milter we've got running 
> at the MTA level. I ran a couple of reports that indicate that yes, 
> about 87% of inbound email never makes it in to the inbound queue, so 
> their data is correct. Obviously, in order to verify that an address 
> exists, our server initiates an email to the recipient's mail server and 
> finds out immediately that either the user is rejected or the system is 
> going to accept an email for that user, and based on that information, 
> we either allow the message in to the inbound queue for further 
> processing or reject it.
> 
> As a result of all of this, BorderWare's network of appliances out there 
> that all report our server's activity back to the mothership that sees 
> all these bad recipients and gives our server a less than stellar report 
> indicating that we're likely spamming. Not good.
> 
> So I phoned the company and talked to some sales guy about this. After 
> looking up our IP and talking with me, he told me that it's a bad idea 
> to have our server "perform these actions". I went over some stats with 
> him and explained why it's so important that we do the address 
> verification and that furthermore, their system shouldn't be penalizing 
> white-hat mail servers that are actively protecting their users from bad 
> stuff. At first he said that perhaps this is just a difference in 
> philosophy, but at the end agreed to go talk with someone and get back 
> to me. I suggested that there are a lot of mail servers that do sender 
> address verification, and they're unlikely to stop using this incredibly 
> powerful tool just because BorderWare thinks that it's a bad idea. My 
> hope is that they'll either remove this from their scoring system or 
> change their weighting formula.
> 
> What do you guys (and gals) think?
> 
> Cheers,
> Chris
> 

If one of my users gets Joe Jobbed, and I see a few thousand connections 
comming my way to see if their account exists, never intending to 
deliver anything, I *will* block you.

If my greylisting doesn't break your sender verification first.

DAve

-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.