OT: IP address reputation, BorderWare

Andoni Auzmendi andoni.auzmendi at robertwalters.com
Fri Mar 23 12:31:06 CET 2007


In defense on sender address verification technique I would like to
point out that the root of the cause is the spammers for forging the
sender address. I think it wastes fewer resources to receive connections
to verify senders than receiving NDRs with sometimes attached messages.

At the end of the day the forged address domain mail servers will suffer
whether they like it or not.

Andoni

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of DAve
Sent: 22 March 2007 22:34
To: MailScanner discussion
Subject: Re: OT: IP address reputation, BorderWare

Chris Yuzik wrote:
> Hi Everyone,
> 
> While this is slightly off topic, it's likely of interest to most of
us 
> here.
> 
> Today I attended a webinar on fighting image spam which was put on by
a 
> company called BorderWare. BorderWare makes rack-mount antispam
devices, 
> amongst other things. The webinar was pretty good and had some great 
> statistics and such. One of the themes of the discussion was
"reputation 
> analysis" where they say that not only should we check a sender's IP 
> address to see if it's blacklisted, but also should check what that
IP's 
> track record is--for viruses, spam, malformed messages, etc. You can 
> manually do this yourself at bsn.borderware.com.
> 
> Here's the interesting/disturbing part: when I looked up our "brand 
> spankin new" mail server's IP address, I see we're not doing so well
and 
> that 87.5% of all our mail is to bad recipients. After getting up off
of 
> the floor and sitting back down in my chair, I started going over 
> things. Have we been compromised? Is there a bad PHP script somewhere?

> Did our hosting provider give us an IP that was formerly used by a 
> spammer? No to all questions.
> 
> Turns out, it's the sender address verification milter we've got
running 
> at the MTA level. I ran a couple of reports that indicate that yes, 
> about 87% of inbound email never makes it in to the inbound queue, so 
> their data is correct. Obviously, in order to verify that an address 
> exists, our server initiates an email to the recipient's mail server
and 
> finds out immediately that either the user is rejected or the system
is 
> going to accept an email for that user, and based on that information,

> we either allow the message in to the inbound queue for further 
> processing or reject it.
> 
> As a result of all of this, BorderWare's network of appliances out
there 
> that all report our server's activity back to the mothership that sees

> all these bad recipients and gives our server a less than stellar
report 
> indicating that we're likely spamming. Not good.
> 
> So I phoned the company and talked to some sales guy about this. After

> looking up our IP and talking with me, he told me that it's a bad idea

> to have our server "perform these actions". I went over some stats
with 
> him and explained why it's so important that we do the address 
> verification and that furthermore, their system shouldn't be
penalizing 
> white-hat mail servers that are actively protecting their users from
bad 
> stuff. At first he said that perhaps this is just a difference in 
> philosophy, but at the end agreed to go talk with someone and get back

> to me. I suggested that there are a lot of mail servers that do sender

> address verification, and they're unlikely to stop using this
incredibly 
> powerful tool just because BorderWare thinks that it's a bad idea. My 
> hope is that they'll either remove this from their scoring system or 
> change their weighting formula.
> 
> What do you guys (and gals) think?
> 
> Cheers,
> Chris
> 

If one of my users gets Joe Jobbed, and I see a few thousand connections

comming my way to see if their account exists, never intending to 
deliver anything, I *will* block you.

If my greylisting doesn't break your sender verification first.

DAve


-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 




**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************



More information about the MailScanner mailing list