OT: IP address reputation, BorderWare

Fri Mar 23 16:52:38 CET 2007

Andoni Auzmendi wrote:
> In defense on sender address verification technique I would like to
> point out that the root of the cause is the spammers for forging the
> sender address. I think it wastes fewer resources to receive connections
> to verify senders than receiving NDRs with sometimes attached messages.
> 
> At the end of the day the forged address domain mail servers will suffer
> whether they like it or not.

milter-null.
Ken A.
Pacific.Net

> 
> Andoni
> 
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of DAve
> Sent: 22 March 2007 22:34
> To: MailScanner discussion
> Subject: Re: OT: IP address reputation, BorderWare
> 
> Chris Yuzik wrote:
>> Hi Everyone,
>>
>> While this is slightly off topic, it's likely of interest to most of
> us 
>> here.
>>
>> Today I attended a webinar on fighting image spam which was put on by
> a 
>> company called BorderWare. BorderWare makes rack-mount antispam
> devices, 
>> amongst other things. The webinar was pretty good and had some great 
>> statistics and such. One of the themes of the discussion was
> "reputation 
>> analysis" where they say that not only should we check a sender's IP 
>> address to see if it's blacklisted, but also should check what that
> IP's 
>> track record is--for viruses, spam, malformed messages, etc. You can 
>> manually do this yourself at bsn.borderware.com.
>>
>> Here's the interesting/disturbing part: when I looked up our "brand 
>> spankin new" mail server's IP address, I see we're not doing so well
> and 
>> that 87.5% of all our mail is to bad recipients. After getting up off
> of 
>> the floor and sitting back down in my chair, I started going over 
>> things. Have we been compromised? Is there a bad PHP script somewhere?
> 
>> Did our hosting provider give us an IP that was formerly used by a 
>> spammer? No to all questions.
>>
>> Turns out, it's the sender address verification milter we've got
> running 
>> at the MTA level. I ran a couple of reports that indicate that yes, 
>> about 87% of inbound email never makes it in to the inbound queue, so 
>> their data is correct. Obviously, in order to verify that an address 
>> exists, our server initiates an email to the recipient's mail server
> and 
>> finds out immediately that either the user is rejected or the system
> is 
>> going to accept an email for that user, and based on that information,
> 
>> we either allow the message in to the inbound queue for further 
>> processing or reject it.
>>
>> As a result of all of this, BorderWare's network of appliances out
> there 
>> that all report our server's activity back to the mothership that sees
> 
>> all these bad recipients and gives our server a less than stellar
> report 
>> indicating that we're likely spamming. Not good.
>>
>> So I phoned the company and talked to some sales guy about this. After
> 
>> looking up our IP and talking with me, he told me that it's a bad idea
> 
>> to have our server "perform these actions". I went over some stats
> with 
>> him and explained why it's so important that we do the address 
>> verification and that furthermore, their system shouldn't be
> penalizing 
>> white-hat mail servers that are actively protecting their users from
> bad 
>> stuff. At first he said that perhaps this is just a difference in 
>> philosophy, but at the end agreed to go talk with someone and get back
> 
>> to me. I suggested that there are a lot of mail servers that do sender
> 
>> address verification, and they're unlikely to stop using this
> incredibly 
>> powerful tool just because BorderWare thinks that it's a bad idea. My 
>> hope is that they'll either remove this from their scoring system or 
>> change their weighting formula.
>>
>> What do you guys (and gals) think?
>>
>> Cheers,
>> Chris
>>
> 
> If one of my users gets Joe Jobbed, and I see a few thousand connections
> 
> comming my way to see if their account exists, never intending to 
> deliver anything, I *will* block you.
> 
> If my greylisting doesn't break your sender verification first.
> 
> DAve
> 
> 