Your Reputation Precedes You

A Look at the Past, Present and Future of Email Reputation Systems

“Reputation, reputation, reputation! Oh, I have lost my reputation!
I have lost the immortal part of myself, and what remains is bestial.”

--Spoken by Cassio, in Shakespeare’s Othello (circa 1602)

Though written over four centuries ago, the sentiment behind these words still holds true – you’re nothing without your reputation. Every day, different reputation systems dictate who you are to those who don’t know you. To lenders, you’re a credit score. To insurance companies, you’re a calculated risk. And now, thanks to the next generation of reputation systems, you’re an IP score.

For obvious reasons, spammers, phishers and virus writers would prefer to hide their identities. They use countless techniques to disguise themselves with the intent of sneaking into your enterprise inboxes, robbing you blind or hijacking your network – or both.

On the other hand, those who would fight these senders are well served to know who the senders are and what they’ve been up to. To that end, email reputation systems are used to figure out what sort of behavior senders have demonstrated in the past and make educated predictions of their future behavior, for better or for worse.

Content Inspection Is Not Enough

Unfortunately, many enterprises rely on an email security solution based solely on message content; understanding the source of a particular message never enters the equation. While this approach is moderately effective when dealing with messages that contain specific spam identifiers, it is completely ineffective at stopping spam that employs techniques not yet seen.

Email Security with Reputation

A comprehensive approach to email security involves examining both message content and sender history. By evaluating senders based on their past behavior, a more accurate picture of their intentions and legitimacy can be discerned. Has the sender engaged in spamming, virus distribution or phishing attacks? If they have, an effective reputation system knows and flags the message. Has the sender even been seen before? If not, a reputation system should pay close attention to ensure that the sender is not a “zombie” machine being controlled remotely by a hacker.

First-Generation Reputation Systems

In the “early days” of spam (circa 2001), simple blacklists and whitelists seemed like an appropriate response to the nuisance messages that had begun to show up in inboxes around the world. Blacklists contain the IP addresses of known spammers, phishers and virus senders; whitelists contain the IP addresses of senders known to be legitimate. Referencing these lists allowed companies to filter a segment of their total mail flow, briefly curbing the onslaught of spam messages. However, their shortcomings were exposed relatively quickly.

The very nature of whitelists and blacklists makes them manual by default. In order for a list to be updated, all messages (both wanted and unwanted) must first be received by an end user and then manually reported to a system administrator. With this sort of end-user reliance, it’s easy to see why the glory days of list-only reputation systems were short-lived.

Further compounding matters, lists rely on anecdotal evidence, opening the door to “vigilantes” who add senders to blacklists without first verifying that they’re actually malicious; and spammers, who add themselves to whitelists which take a “pay-to-play” approach, allowing any “bonded” sender to buy their way onto the list.

Other mitigating factors were behind the decline in blacklist and whitelist effectiveness. In the end, the failure of these lists as email security solutions was largely due to their inability to factor message quality into the equation.

Second-Generation Reputation Systems

The next iteration of reputation systems built on the failure of blacklists and whitelists to maintain control over the spam flood. While the lists remained an integral component, new features briefly increased second-generation reputation systems’ efficiency and effectiveness. With time, however, spammers adapted their habits to evade detection.

Among improvements seen in second-generation reputation systems were dynamic lists, necessary to combat the introduction of “zombies” into the email security landscape; automatic updates, which removed the administrative burden of manually uploading lists; and message scoring, which assesses a message’s likelihood of being spam and assigns a corresponding “score.”

The Next-Generation Reputation System

Today’s spammers are more clever than ever, so today’s reputation systems must be equally sophisticated. An effective reputation system must be dynamic, comprehensive and precise, and based on actual enterprise email traffic in order to keep the spammers from gaining any advantage. To that end, CipherTrust developed TrustedSource, the most precise and comprehensive reputation system available. TrustedSource keeps enterprises ahead of the spammers by leveraging research generated by CipherTrust’s industry-leading network of customers. In developing TrustedSource, CipherTrust has succeeded in defining to a reputation for every IP address in use across the Internet (all 4.2 billion!), not just those that have been encountered in the past.

By combining years of industry-leading research with the unmatched capabilities of IronMail’s Message Profiler, CipherTrust has made some ground-breaking discoveries about the email sending behavior of IP addresses. TrustedSource merges CipherTrust’s unmatched knowledge base and global customer network of over 1,400 companies with generally available data such as traffic patterns, white/blacklists and network characteristics. This powerful combination allows TrustedSource to assign accurate scores to any IP address encountered by IronMail, considering both sender history and message characteristics.

Trust Your Reputation to Ours

A traditional email security approach that relies solely on identifying messages based on content and/or characteristics, or an approach that relies solely on blacklists and whitelists, is incapable of generating adequate data about senders. In order to accurately identify messages as wanted or unwanted, corporations must embrace an approach that includes a comprehensive reputation system like TrustedSource. To learn more about TrustedSource and how it can help you take control of your enterprise email security, download CipherTrust’s free whitepaper, “TrustedSource: Reputation Redefined.”

CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, “TrustedSource: Reputation Redefined.” or by visiting www.ciphertrust.com.

Download Fraud Eliminator to Protect Yourself Click Here

UK Based Phishing IQ Test
Some time ago I posted a link to an American Phishing test. I'm pleased to tell you that there is now a UK Phishing Test using UK examples that might make rather more sense to us than the American one. Phishing, for those who don't know, are fake emails that supposedly come from banks etc. that are designed to get us to give out personal details, which can then be used to get money out of accounts and so on. No-one would fall for them, surely? If you're sure you're too clever then try the test and see how well you do!

Gmail Takes the Phun Out of Phishing
Google isn’t allowing itself to be put in the same situation as other e-mail providers in regard to phishing attacks. In October of last year, they implemented Yahoo’s DomainKeys e-mail source verification ( a month before Yahoo did, but that’s Google for you). Now they’re using a proprietary engine to tag suspicious messages coming in to Gmail accounts. When a Gmail user opens a suspected phishing message, the software displays a large red dialog box… Direct and Related Links for 'Gmail Takes the Phun Out of Phishing'

Netcraft: 5,600 Phishing Sites Since December
miller60 writes "Netcraft has tracked and blocked 5,600 known phishing sites since the December launch of its anti-phishing toolbar, which it has now updated with a risk rating feature that warns users about new sites with phishy characteristics, based on trends observed in known phishing scams. It has also started a service that makes the full list available of phishing sites as a continuously updated feed for service providers and companies to use in mail servers and web proxies." One bad sign: the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone.

Netflix Fixes "Phishing" Security Threat
Christopher tipped me off to a Bugtraq Mailing list thread about a possible Netflix security problem involving "Phishing." This is the Wikipedia definition of phishing: In computing, phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information. It is a form of social engineering attack. Here's a link to an example of a phishing e-mail. This is an example of phishing HTML code: https://www.netflix.com/redirect.jsp?target=http://dummy.site.com/ This was just a warning and...

14,411 phishing attempts in April 2005
In April 2005, the number of phishing attempts rose to 14,411, says Anti-Phishing Working Group. A drop in unique phishing e-mails was reported, down to 3,930, from 4,100 in March 2005. Number of phishing Web sites hosted in China increased to 2,854 active phishing sites reported in April 2005 (22% of total). 26.3% of phishing [...]

Anti-Phishing Working Group Creates Phishing Scam Database for Members (2 June 2005)
In hopes of becoming a clearinghouse for phishing data, the Anti-Phishing Working Group has created a database of phishing scams that can be used to share information with other Anti-Phishing Working Group members; there is also an XML form that can be used to submit attack data.......

John Doe Lawsuits Filed Against Phishing Operators
“Microsoft filed 117 “John Doe” lawsuits against phishing site operators in an effort to curtail the identity theft scams. “We must work together to stop these con artists from misusing the Internet as a tool for fraud. Microsoft provides consumers with the information and technology that will help protect all of us from this pervasive and destructive threat, and has filed legal action today against some of these individuals,” Aaron Kornblum, Internet safety enforcement attorney… Direct and Related Links for 'John Doe Lawsuits Filed Against Phishing Operators'

Download Fraud Eliminator to Protect Yourself Click Here