IronPort and SenderBase

The CTO from IronPort was on Tech TV the other day, talking about their service. I wasn't paying an extreme amount of attention, but it sounded like a good idea, although I was looking for more details. Tech TV is pretty good about archiving their stuff on their site, so you may want to go over there and take a look.

think of them as an anti-blackhole list. Effecitvely, using RBL technology to whitelist instead of blacklist.

At a basic level, they're a bonding house. The way these things tend to work is that if your complaint levels go above a certain level, you start paying fines out of your bond, so effectively, it's an agreement to whitelist a mail sender in return for keeping the complaints below a given level, with a financial incentive to do so.

it's an emerging, not necessarily widely used, setup. I think it has potential to help sort out the e-mail and figure out what needs to be evaluated. I have'nt specifically evaluated these folks, but they're on my list to take a closer look at. The underlying concepts and technology seem pretty reasonable, though. Anything that can help you narrow the field of things you aren't sure about is a good thing, and whitelists like this have a strong potential at helping larger sites manage their mail processing load, if they can scale, be trusted and e-mail senders convinced to sign up with them...

We in the SpamAssassin (http://spamassassin.org/) dev team have been keeping an eye on this; it could be quite neat, purely as a measure of mail volume. Dan Quinlan in particular, seems to have been talking to them about it.

I personally would also like to see some correlation between spamtrap data and this data, to give a probability of spam from that IP address, similar to the spamcop DNSBL (http://spamcop.net/bl.shtml). But purely as a bulk-production measuring system, it's going to provide cool infrastructure for tests...

Adding to what Justin said, I've actually had several meetings with the IronPort guys, including a bunch of discussion of their Bonded Sender, SenderBase and other stuff they're working on.

As I understand it, today the "product" they sell is a mail appliance for sending/receiving large volumes of mail. Super high-performance appliances based on some kind of BSD kernel (which I think they've heavily modified for SMTP performance, to reduce DNS bottlenecks, etc). They also "sell" Bonded Sender I think. Not sure that they have a for-money product around SenderBase, but it's certainly possible that they either do, or are planning one.

Certainly looking forward to getting the benefit of the SenderBase data to help in the fight against spammers. Combination of the SenderBase data with other tests on incoming email can certainly be used as a powerful determinant of spamminess.

Right now, there is a little bit of a bias in their mail volume data, where people who tend to send a lot of mail to people who use SpamAssassin with Bonded Sender checking turned on will have a disproportianately high ranking in SenderBase (since it gets its data by monitoring how frequently people lookup addresses in Bonded Sender). So since I correspond quite a bit with other SA users who have this turned on, SenderBase estimates that I send several hundred thousand emails per day, which is obviously a little off. Over time though, this should become less of a problem, assuming they spread their data gathering a little more.

IronPort is grossly overpriced. Equally phenomenal, albeit slightly lower performance is available for about 1/10th to 1/15th the price, if you buy from competing vendors. One such vendor I hear is Tegatai Systems, who are scheduled to release their product and service line within three months. I have seen their benchmarks and they definately offer more value for the dollar. To note a correction, the IronPort device is only for outgoing mail, according to their documentation.

IronPort are releasing a new product that will do Anti Spam, Anti Virus and Content-Filering
in one box.
It will have 3 1000/100/10 Ethernet nics,
with 4 hot swap Scsi drives.
I've checked them out for my network and it looks pretty good.

SenderBase is a useful resource -- I particularly like the fact that they provide an efficient web service interface to make queries against it. See the Net::SenderBase module by Matt Sergeant of MessageLabs fame.

We have been working on integrating SenderBase data with our spam throttling product and have found some success with it. It's not a panacaea, however, and I understand that IronPort has a proprietary database which they do not expose through the SenderBase public interface, which contains a much more valuable "reputation" score.

But nonetheless they are doing a good thing for the community IMHO by making this database available.

We re-sell Ironport and it does a good job. Effectively, Ironport Senderbase is a database of the "reputation" of IP addresses of mailservers that exist out on the Internet. It uses about 60 factors to determine reputation including; when the IP address was first seen sending mail, how much mail it is sending on a daily basis, can an email be sent to the IP address, pattern of mail volume growth; can you do a lookup on the IP address, is it on any of the 12 black lists that it has access to etc.

Based on the reputation of the IP address, the administrator can block, limit or apply other rules to email coming from that IP address. In addition, Ironport provides heuristic spam filtering and AV.

Our customers tell us that it can reduce incoming mail volumes by up to 50% by refusing connection from "obvious" rogue mail servers.

Avoid this product. They're "throwing the baby out with the bath water." A properly configured email server which doesn't send any spam will be rejected and even if the IP is changed will be tracked. There is no legitimate way to contact the company and when you contact Ironport tech support, they OUTRIGHT LIE AND TELL YOU senderbase is not them!

Anybody who knows how to use WHOIS can discover that it's the same company.

Avoid!

As an extremely experienced Mail Admin for a large company (and longtime Spam-Fighter), I have to say Iron Port is ridiculously FLAWED and a huge ANNOYANCE.

My network had a single workstation infected for all of about 15 minutes. I had this cleared up with SPAMCOP in an hour.

But it is taking well over a week to cleanup the aftermath from Senderbase.

Without any RBL listing or spam history, Ironport continues to list our Server's IP as "POOR" causing Hundreds of domains to refuse our email (even though the message didn't even come from our server).

The lack of a formal de-listing service is BOGUS and ARROGANT.

Ironport's "support" email is a blackhole of its own. Enquiries go in, nothing comes out.

To say "we don't block your email" is nonsense.

Ironport sells appliances and services to block email using subscriptions to a reputation database they maintain.

Even should I know the identities of the untold masses of Senderbase users, is it practical for me to contact the multitude of Mail Admins to request delisting?

Ironport and Senderbase get a double bird-flip!

I have to agree with UCE Crusader. Ironport/SenderBase really fails big time on providing a way to get removed from their "blacklist".

I agree with the assessment, BOGUS and ARROGANT.

Cisco owns this company - so let them know how you feel. IF you happen to own cisco stock, share your opinion at the next stockholder's meeting.

Getting listed on a site that is so unfriendly is like getting a second mugging - first you get hit with user error leading to a virus infection... then after that is all cleared up, no-one in your company can get e-mail out to critical clients.

The folks at Cisco/Ironport/Senderbase NEED to have a way to de-list *rapidly* companies that have been temporarily infected by a spam generating virus or Trojan horse.

"Bogus" and "arrogant" are excellent adjectives. If they fix this, it could be a great service. But right now, their own "reputation" sure needs it's own special 'blacklist'.

Anyone complaining about a zombe PC on their network sending spam and then getting a poor reputation on senderbase needs to learn how to block outbound port 25 from machines other than their mail server.

That being said, Cisco (Ironforge) could make it a bit easier to go back to neutral especially if you've had a goodd reputation for years and 20 min of rogue spam.

Cisco/Ironport/SendBase is a Monster

I have been hosting email since the day it came out and have never seen anyone flex their muscle like they do with sendbase.

In the last year they have rated my mail server poor over a dozen times. each time after calling and emailing them, they tell me things like.

your client forwards his email to his cox account, which forwards a spam, then he says it is spam via spamcop - instance poor rating.

I used response verifcation for years, that is a big no no to them now. back to poor rating.

some business clients of mine send out to many emails, all collect via sign up forms, but after time people forget, then flag their spamcop software it is spam, instance poor!

I can list many more, waiting for the new one today!

Who gave them the ablity to be the internet cop for email anyways. Looks like it is only banks, and the big boys that use their appliance.

If you blocked snail mail like this, Fed would lock you up!

I watch my servers like a hawk, never been infected. Log everything.

they don't list any reason why you get rated poor so you are a while goose hunt to figure it out.

When I do get a response, they show me one header, ONE!!

even if you look up mail.cox.com they have many poors and they use ironport devices.

They don't block email, their appliance at clients location does the rejection using their database! Yeah right!

I asked what I could pay to be listed as they good guy, just got the run around and buy a device! nice sales gimick!

They are a freakin nightmare, so sick of this the last year, thinking of tossing in the towel on hosting email!

when i do get a response, some dude from india!

I feel a little better now ranting!

Mac
Advanced Consulting
San Diego