CipherTrust: Mail Senders 'Guilty Until Proven Innocent'
Dubbed TrustedSource 3.0, the new service has already been delivered to some IronMail customers as part of the regular update process, said Matt Anthony, the director of product marketing for CipherTrust. Other customers, he said, are being updated now.
TrustedSource analyzes messages hitting the gateway -- IronMail's appliances are all gateway-installed devices -- and assigns each a score based on the prior performance of the sending IP address. That score is then added to the other characteristics the appliance looks at to determine whether the message is designated as spam or possibly virus laden, and thus discarded, or allowed through to inboxes or perhaps a quarantine area.
"False positives are just not an issue," Anthony claimed. "IronMail comes up with a pretty good picture [of a message's nature], rather than just assign it to 'good bucket' or a 'bad bucket,'" he said.
CipherTrust already had data for some 50 million IP addresses that regularly send e-mail to enterprises, said Anthony, based on it own analysis of the traffic reaching IronMail appliances operated by more than 1,400 customers in 35 countries. "TrustedSource comes out of our very broad network of [appliance] installs," said Anthony. "We have customers in 35 countries, and 30 percent of Fortune 100 among them," he added. "Our focus on the enterprise makes us unique," he said. "Symantec's Brightmail has a large percentage of ISPs as its customers," he alleged.
"But about 30 percent of the traffic that hits our gateways are all-new IP addresses each day," said Anthony. To account for these address in a reputation system was crucial he said, and CipherTrust did it by looking at similar message traffic from recent new IP addresses, and "assigning the newest IPs a probability that it's sending bad messages," he said.
"That way we can assign a reputation for every IP address."
Because the data is dynamic and continually updated, the reputation given to never-before-seen IP address can change, he added, but the assumption is that these addresses are "guilty until proven otherwise," said Anthony.
"Odds are, that new address is sending junk," he said. Since the reputation service is just one message characteristic tossed into the overall analysis, however, legit mail, even from an unknown IP address, gets through.
"This is our way of quickly identifying zombie networks," said Anthony. "Zombie" is the term for a previous-compromised machine -- often one infected earlier by a worm -- that's hijacked to send out spam or distribute more malicious code. "TrustedSource turns on when the zombie turns on, turns off when they turn off," said Anthony. When a zombie stops sending mail, its reputation will eventually be regained and the appliance will accept mail from its IP address.
Among Symantec's announcements last week was an appliance deployed at the network edge that analyzed TCP traffic, not the SMTP traffic checked at the gateway. While CipherTrust doesn't have an at-the-network-edge appliance like Symantec's Mail Security 8160, its IronMail appliances have been equipped since November with software dubbed Connection Control, which blocks mail from known spammer IP addresses at the originating server, and reduces spam volume between 20 and 50 percent. Symantec claims that the 8160 slashes the amount of spam reaching the gateway by half.