Tuesday, February 01, 2005

fyi CipherTrust: Mail Senders 'Guilty Until Proven Innocent'


Pointer to article:

Kobielus kommentary:
Ahh…such an inflammatory headline.

The actual article isn’t sensational at all, just thought-provoking. It presents an important anti-spam technique to be employed at mail firewalls: evaluating the potential spamminess of incoming e-mail based on the “reputation” of the IP address from which the mail originated. Specifically, it discusses CipherTrust’s approach for evaluating the “reputation” of an IP address based on its history of generating spam. In particular, it discusses how or whether one can evaluate the “reputation” of the many newly created IP addresses—perhaps 30 percent of the total on any given day—which, by definition, have no history.

What was interesting here is that CipherTrust's mail gateway evaluates these addresses’ “reputation” not individually, but en masse, based on the recent spam-generating behavior of the total class of newly created IP addresses. And then uses that evaluation as one of many factors to take into consideration when filtering mail from these sources. Hence the “guilty until proven innocent” preliminary evaluation on these addresses re their spam-potential.

Which only makes sense. In one important respect, spam is an identity management problem. Spammers have obtained your authenticated identity (your e-mail address), which allows them to target you with messages, even though you don’t always have theirs (their current e-mail address, IP address, or originating mail domain). Consequently, you can’t effectively target them with filtering and blocking mechanisms. Until you’ve nailed them down to a stable, authentic, verified address. Until you have the evidence necessary to justify adding that address to a whitelist of trusted senders. Even then, you can’t know whether your trusted senders have been hijacked by zombies, so you must continually “trust but verify.”

To the extent that you’re bombarded by mail from apparent strangers (i.e., unfamiliar/new IP addresses, e-mail addresses, etc.), you should presume they’re a possible threat, unless you have compelling indications otherwise. The more impermanent our IP addresses get, the more dynamic (and provisional) our whitelists must become. And the more often we have to do a “halt who goes there” sentry check with any knock on our virtual door.

Or set of doors. Inbound messages must run a gantlet of sliding doors-—i.e., mail gateways--before they enter the inner sanctum of our inbox. Like Maxwell Smart, only smarter. That’s the only way our mail-handling infrastructure can layer the intelligence needed to hold back the tide.