Download Fraud Eliminator to Protect Yourself from Phishing Scams

Does Your Email Reputation System Have a Bad Rep


The recent spike in the volume of spam traveling across the Internet, combined with the dangers of phishing and virus attacks that frequently accompany these messages, has forced enterprises to reconsider how they determine which messages will be allowed into their network. The latest advances in anti-spam technology have been enabled in part by the use of reputation services which determine the “good” and “bad” senders. There are several approaches to determining a sender’s reputation; some more effective than others.

In order to determine whether senders are “good” or “bad”, organizations must have the ability to accurately identify the sender of an email. Spammers and their ilk would prefer to hide their identities – especially for those that are engaged in open fraud such as phishing attacks. They modify email headers in an attempt to fool recipients into thinking the email is coming from a legitimate source. This practice, called “spoofing”, is a common tactic used by spammers to obfuscate their true identities.

To confront this issue, Microsoft, CipherTrust and other industry leaders have worked to create standards that allow organizations to determine whether an email is coming from a legitimate sender. To date, there continues to be debate as to which technology will prevail. Microsoft’s Caller ID (now dubbed the Sender ID Framework or SIDF) has emerged as a front-runner along with Meng Weng’s Sender Policy Framework (SPF) .

Unfortunately, merely knowing who is sending an email doesn’t necessarily stop spam. As it turns out, spammers have been early adopters of the new standards, they are better about applying for sender authentication technologies than normal corporations, and they are eager to participate!

Regardless of how many spammers adopt “honest” emailing practices, the technology to identify email senders is quickly being adopted by major ISPs and corporations. Armed with that knowledge, reputation-based filtering can have a significant impact on the level of spam in everyone’s inbox.

There are a number of methods companies use to determine whether a given email sender has a “good” reputation. Some of the most common tactics are:

By far the most costly method in terms of human resources, In-house lists require IT staff to maintain whitelists and blacklists in order to cut down on the spam problem. The difficulty with these programs is that they require that the IT staff become knowledgeable about a host of email security and spam issues, and the investment is rarely sufficient to overcome the thousands of variations of nuisances and threats posed by spammers, phishers, and other dubious email senders. By the time the administrator becomes aware of a new spam attack, the spam has already gotten onto the network, and into users inboxes.

These whitelists and blacklists are built and maintained by third party organizations for the benefit of subscribers. These lists are subject to many of the same problems faced by in-house administrators. In addition, some blacklists are maintained by vigilante groups that are quick to penalize an organization for spam; sometimes without due diligence and without giving that organization time to respond to spam charges. There is also a time-lag between when a spammer starts sending spam from a particular IP address and when the address gets added to the blacklist. By the time the services become aware of a spammers activities, the spammer has already sent millions of messages.

Two prominent examples of bonded programs are IronPort’s Bonded Sender Program and and Habeas’ Sender Warranted Email programs. These programs allow email marketers to secure bonds to certify that their email adheres to guidelines on the basis of privacy, mailing practices and issue resolution. ISPs and other mail servers can then query Bonded Sender when scanning incoming messages and handle them accordingly. However, this “pay-to-play” model is fundamentally flawed, as it gives spammers the ability to simply “buy” their way onto the list by securing a bond as a legitimate sender, regardless of whether they’re actually legitimate or not. While the cost of the bond may be prohibitive to some senders, the benefits far outweigh the costs to most spammers, as the only way the bond will be debited is if Bonded Sender receives complaints about a specific account sending spam. And really, when was the last time you or anyone you know reported receiving spam? Would you even know where to report it? In reality, spammers are paying IronPort for the right to clog your inbox.

TrustedSource is CipherTrust’s adaptive, real-time email reputation system that provides information on email sender behavior. Who sends spam? Who polices their outbound email well? TrustedSource knows. By constantly observing and analyzing email traffic across the Internet, CipherTrust identifies the "good guys.” TrustedSource provides constant updates on sender status to improve spam-fighting accuracy and allows IronMail, the secure email gateway, to achieve the highest level of accuracy in determining good email from bad.

TrustedSource servers provide data to IronMail by contributing negative values to IronMail’s Spam Profiler (SP) algorithm for messages sent from senders that are deemed reputable. Every message that passes through IronMail is checked against the TrustedSource list and based on the reply, IronMail will make a decision about whether to reduce the overall SP spam score for that message and improve its chances of not being classified as spam.

What constitutes “good behavior”
Spammer behavior changes constantly so no definitive answer is available. However, the following practices are considered “best practices” for email senders:

  • Comply with the proper RFC protocols for email.
  • Do not attempt to obscure content or messages in emails.
  • Do not send email to unverified or nonexistent email addresses.
  • Post privacy policies where they can be read and understood, prior to submission of a request.
  • Offer opportunities for users to opt-out of programs.

Adopting a reputation-based anti-spam system alone has not proven effective to stop spam. However, by combining reputation-based systems such as CipherTrust’s TrustedSource with other methods of spam control technologies such as SIDF, SPF, Bayesian Filters, Blacklists, Whitelists, Anomaly Detection, and Spam Signatures, IronMail has achieved industry-leading success.

CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, “No Phishing: Protecting Employees from E-mail Fraud” or by visiting

Download Fraud Eliminator to Protect Yourself Click Here

UK Based Phishing IQ Test
Some time ago I posted a link to an American Phishing test. I'm pleased to tell you that there is now a UK Phishing Test using UK examples that might make rather more sense to us than the American one. Phishing, for those who don't know, are fake emails that supposedly come from banks etc. that are designed to get us to give out personal details, which can then be used to get money out of accounts and so on. No-one would fall for them, surely? If you're sure you're too clever then try the test and see how well you do!

Gmail Takes the Phun Out of Phishing
Google isn’t allowing itself to be put in the same situation as other e-mail providers in regard to phishing attacks. In October of last year, they implemented Yahoo’s DomainKeys e-mail source verification ( a month before Yahoo did, but that’s Google for you). Now they’re using a proprietary engine to tag suspicious messages coming in to Gmail accounts. When a Gmail user opens a suspected phishing message, the software displays a large red dialog box… Direct and Related Links for 'Gmail Takes the Phun Out of Phishing'

Netcraft: 5,600 Phishing Sites Since December
miller60 writes "Netcraft has tracked and blocked 5,600 known phishing sites since the December launch of its anti-phishing toolbar, which it has now updated with a risk rating feature that warns users about new sites with phishy characteristics, based on trends observed in known phishing scams. It has also started a service that makes the full list available of phishing sites as a continuously updated feed for service providers and companies to use in mail servers and web proxies." One bad sign: the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone.

Netflix Fixes "Phishing" Security Threat
Christopher tipped me off to a Bugtraq Mailing list thread about a possible Netflix security problem involving "Phishing." This is the Wikipedia definition of phishing: In computing, phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information. It is a form of social engineering attack. Here's a link to an example of a phishing e-mail. This is an example of phishing HTML code: This was just a warning and...

14,411 phishing attempts in April 2005
In April 2005, the number of phishing attempts rose to 14,411, says Anti-Phishing Working Group. A drop in unique phishing e-mails was reported, down to 3,930, from 4,100 in March 2005. Number of phishing Web sites hosted in China increased to 2,854 active phishing sites reported in April 2005 (22% of total). 26.3% of phishing [...]

Anti-Phishing Working Group Creates Phishing Scam Database for Members (2 June 2005)
In hopes of becoming a clearinghouse for phishing data, the Anti-Phishing Working Group has created a database of phishing scams that can be used to share information with other Anti-Phishing Working Group members; there is also an XML form that can be used to submit attack data.......

Strange "Barclays" phishing attempt
When I get these things, I usually just delete them immediately, but this strange message from “Barclays” caught my eye and I began to play with it. At first, it just seems like an obvious phishing attempt. Dear Barclays Member,This email was sent by the Barclays server to verify your email address. You must complete this process by clicking on the link below and entereing in the small window your Barclays Membership number, passcode and… Direct and Related Links for 'Strange “Barclays” phishing attempt'

Strange "Barclays" Phishing Attempt
When I get these things, I usually just delete them immediately, but this strange message from “Barclays” caught my eye and I began to play with it. At first, it just seems like an obvious phishing attempt. Dear Barclays Member, This e-mail was sent by the Barclays server to verify your e-mail address. You must complete this process by clicking on the link below and entereing in the small window your Barclays Membership number, passcode,… Direct and Related Links for 'Strange “Barclays” Phishing Attempt'

John Doe Lawsuits Filed Against Phishing Operators
“Microsoft filed 117 “John Doe” lawsuits against phishing site operators in an effort to curtail the identity theft scams. “We must work together to stop these con artists from misusing the Internet as a tool for fraud. Microsoft provides consumers with the information and technology that will help protect all of us from this pervasive and destructive threat, and has filed legal action today against some of these individuals,” Aaron Kornblum, Internet safety enforcement attorney… Direct and Related Links for 'John Doe Lawsuits Filed Against Phishing Operators'

Download Fraud Eliminator to Protect Yourself Click Here