Slashdot Mirror

That's a Cisco IronPort web filter warning. (Speaking of warning, WARNING: Marketing PDF)

I dunno where that particular device got that "web reputation" record for that particular website. It might be outdated, or GP's company may have some weird fetish about executing code in remote VMs.

IronPort used to play both sides of the street back in 2002. They sold rackmount "spam filter" boxes, and they also sold, er, "email delivery appliances". These included mechanisms for using hundreds of different IP addresses, to avoid triggering spam filters. IronPort was also behind "Bonded Spammer", a scheme where they paid ISPs to whitelist their spam. They even bought SpamCop and built Bonded Spammer into it.

Cisco finally bought IronPort, and they got out of the spamming business. Bonded Spammer lives on as ReturnPath. If you have anything to do with mail processing, it's worth understanding how to identify ReturnPath email (the IP address is tagged in DNS) so it can be moved to the "bulk" folder. If you use SpamAssassin, it comes with a big negative value for ReturnPath emails to get them through filters. Change that to +2 or so; if somebody paid to use ReturnPath, they're a bulk sender.

IronPort used to play both sides of the street back in 2002. They sold rackmount "spam filter" boxes, and they also sold, er, "email delivery appliances". These included mechanisms for using hundreds of different IP addresses, to avoid triggering spam filters. IronPort was also behind "Bonded Spammer", a scheme where they paid ISPs to whitelist their spam. They even bought SpamCop and built Bonded Spammer into it.

Cisco finally bought IronPort, and they got out of the spamming business. Bonded Spammer lives on as ReturnPath. If you have anything to do with mail processing, it's worth understanding how to identify ReturnPath email (the IP address is tagged in DNS) so it can be moved to the "bulk" folder. If you use SpamAssassin, it comes with a big negative value for ReturnPath emails to get them through filters. Change that to +2 or so; if somebody paid to use ReturnPath, they're a bulk sender.

Cisco will soon be introducing a product to address this exact problem!

Please, this is Cisco. They've already purchased the company that makes the product to address this.

http://www.ironport.com/

http://www.ironport.com/

Yeah, seriously, they're awesome. We're using three clustered C150's at two datacenters right now. You can ditch all your other spam/anti-virus software too. Expect to pay about $15/mailbox/year for 3 appliances. Also might be worth mentioning that they were recently purchased by Cisco.

We use them to automatically scan and encrypt any message containing ePHI (think HIPAA), ABA's, SSN's and credit card numbers. You can also install an outlook plugin to implicitly encrypt messages or create mail rules to always or never encrypt certain messages from certain people or groups (great LDAP integration).

And the spam filtering is phenomenal. I really can't say enough good things about these appliances. They replaced several fedora+clamav+sendmail+SA boxes I was running and I couldn't be happier.

That's a truly heartbreaking hardware story. Maybe this will help :)

http://www.ironport.com/company/careers.html

Personally I'd think about a hardware solution, block replication off-site to a third party registry. When you're talking compliance (especially fiduciary compliance) it's usually easy to come up with the bucks, so dream up something right and propose it.

Sites affected include Technorati, Netflix (these display nice "We're Dead" pages), Typepad, LiveJournal, Sun.com, and Craigslist (these just time out).

And Ironport!

I get to rebuild some slave databases. Thanks 365! Your generators are top notch.

For everyone screaming that this isn't feasible, will kill mailing lists, and other wise render effective communication via SMTP impossible you might want to consider that about a quarter of global email volume is already flowing through a system very much like what the OP describes.

Ironport (recently purchased by Cisco for $830 million US) has been doing this kind of service for large providers for several years.
Their statistics site is publicly viewable, but using their stats requires a subscription fee.
http://www.senderbase.org/
Its interesting to look at how well or poorly the MTA's you use are scored. All of the stats are gathered by the systems they sell to ISP's and enterprise customers. These boxes perform the spam filtering for that organization's customers and provide statistical data back to senderbase.org, which allows all Ironport customers to "know" about problems for all other Ironport customers.

The link to their PDF on their metric's is here:
http://ironport.com/pdf/ironport_wp_reputation_bas ed_control.pdf

We evaluated their system last year as a possible replacement for a third party spam/virus scanning provider and may end up purchasing their equipment once everything with the Cisco purchase shakes out. Their solution, while not perfect, behaves far better than some of the things that large service providers *coughAOLcough* have tried and are (or were when we tested) comparable to most of the content based scanning systems in terms of spam filtering with a lower rate of false positives.

This isn't a new concept. Our mail gateways already participate in something like this with IronPort's SenderBase reputation filtering. 90%+ of our incoming mail traffic is dropped based on poor reputations scores without looking at anything more than the sender's address. So far, we've never had a false-positive that we know of, and only once, after many customers were made a part of a bot-net and started spamming, did SenderBase throttle traffic to one of the local ISP's. A quick call to their mail admins pointing out the problem and they were able to block those customers from sending mail until they were cleaned up and the reputation score climbed back up again.

I hope Spam cop stays good now that it is owned by CISCO. Sherman

You forgot the URL!

http://www.ironport.com/company/ironport_pr_2007-0 1-04.html

IronPort works extremely well too. Be prepared to pay enterprise prices though.

Spam vendors and open source vendors make lots of whacko claims.

[...] extremely low false positive rate, with less than one in one million messages being a false positive.

A few years ago, Bayesian classification seemed a promising way to filter spam.

[...] best recorded levels of accuracy have included 99.991% by one avid user (2 errors in 22,786) and 99.987% by the author (1 error in 7000), which is ten times more accurate than a human being!

That translates to better than 99.984% accuracy, which is over ten times more accurate than human accuracy

In the game of cat and mouse between spammers and anti-spam vendors, spammers and hackers quickly developed new techniques to "fool" the Bayesian filtering software.


File these under UFO sightings.

Spamcop has been around much longer than bluesecurity, it has already weathered many more DoS attacks than bluesecurity, spamcop has been sued a couple of times by spammers (and the spammers lost), spamcop has had its domain name hijacked, and yet it has survived. Granted, part of the reason they survived is because the are now owned by the anti-spam vendor, Ironport who also provides the free senderbase service.

I'm sorry to see bluesecurity go, but there are still other options for people who want to fight spam.

I was checking Spamcop's (my mail provider) parent company Ironport www pages yesterday.

Spam is dieing as you can see at http://www.ironport.com/toc/toc_spam.html

I think phishing by zombies are in rise.

http://www.antiphishing.org/ report available in pdf http://antiphishing.org/reports/apwg_report_Nov200 5_FINAL.pdf

BTW if you report spam, reportphishing@antiphishing.org is a good CC: target.

Many people are now putting e-mail security devices in front of the "receivers".

Products such as Ironport, Openwave Edge Gx, and Symantec Mail Security Security use technologies such as traffic shaping, reputation services, directory harvest attack detection, etc. to help keep spam out of your network.

except IronPort actually copied the name

Proof -

Ciphertrust earliest press release Sept 2001 - mentions IronMail - http://www.ciphertrust.com/company/press_and_event s/article.php?id=0000137

Ironport earliest press release in June 2002 that mentions IronPort

http://www.ironport.com/pdf/ironport_2002-06-25b.p df

Wow, this is almost an exact copy of Ironport's Senderbase Reputation Score!

Someone (the author or some editor) added that comma to my sentence. My original email had no comma there. A clearer phrasing that would not tempt someone into adding punctuation would be:

[The least effective technique is] Any technique that tries to identify "good" mail with neither authentication backing it up nor some form of personalized training.

They also removed the name of the company where I work (IronPort), which struck me as a bit odd considering how my job allows me to do open source was part of the article. I think my employer deserves some kudos for that. Not to mention implying that I'm more than just one of the developers. There are eight commiters, six of them on the Project Management Committee and two of them (Justin Mason and Theo Van Dinter) write at least as much code as me.

Oh, yeah, Ironport claims their multimillion e-mail per hour senders are only for use by good guys. Right.

Yahoo and Hotmail are being protected by these puppies from Ironport. They use Brightmail to filter to the Bulk folder and Sophos for AV. Hopefully they turned on both features.

No, spammers can be as dishonest as they wish. They'll have to be unbelievably smart to get around this.

How long until somebody adds a stamp-accelerating DSP to one of these and completely blows the computational limitations out of the water?

I use Netscape's Bayesian filter as a second tier, and that removes about 60% of the remaining spam.

SpamCop was better, until IronPort bought them and they went black-hat, with Bonded Spammer and the Spam Engine.

IronPort's business is SPAM prevention.

Actually, they play both sides of the fence.

Except that IronPort, not Microsoft, is running this list. IronPort are the same people who purchased SpamCop. IronPort's business is SPAM prevention.

There are plenty of legitimate companies that don't SPAM that have IronPort bonds. Especially where these companies are sending out 'Technical Errata' or trying to run product support over E-mail.

Now you can argue that 'Technical Errata' sometimes has embedded ads (usually not), and sometimes is unsolicited (usually not) - but most people who ask for it think it's useful. If I send a company an Email asking them about how to fix thier broken product, I surely wouldn't want the reply to be stuck in a SPAM filter (this happens to me once or twice a month).

If you want to use IronPort's whitelist service, inquire at thier web site.

IronPort is NOT Microsoft! IronPort is selling a service which Microsoft has purchased for the purpose of using on Microsoft's Hotmail (and MSN) mail service.

Since a vast majority of SPAM that I get are from throw-away domains, I see some value in this as well. It would, for instance, be nice if I didn't have to comb through my JUNK box looking for missing Emails from one of the many product specific Mail lists that I'm a member of.

However, Mail lists are usually on independant and under-funded sites, so it's unlikely that they'd be able to afford to become IronPort certified anyway.

SourceForge would be a good start though.

Yeah, yeah, there are "legitimate uses" for this thing. Right. Sure.

Even worse, they have a "Bonded Sender program, under which spammers pay a fee to Ironport to bypass spam filters. They charge a fee of $20 for each complaint, but allow one free complaint per million spams. They're vague about what a "complaint" is, and admit they don't use "AOL complaints". They may be counting only complaints that reach abuse@bondedsender.com. Since they don't require that mail be marked as "approved by BondedSender", few people know how to complain. And they don't disclose their complaints, or who's in the "Bonded Sender" program.

They're trying hard to insure that all the major anti-spam systems are hardwired to let their spam through. They have patches for all the major spam detection programs. The patches bypass all other spam checking if the source IP address has the DNS record that says it's listed with BondedSender. Now you understand why they bought SpamCop.

A useful check for mail programs is to check the BondedSender whitelist, then run a conservative Bayesian spam filter on the content. If BondedSender says it's not spam, but the spam filter says it is, ship it off to the BondedSender abuse address. Definitely do this for honeypots. Any BondedSender mail that shows up at a honeypot should be reported on NANAE. That will help track how much, or how little, Ironport is really enforcing their rules.

Ironport, the owner of Spamcop, allows you to deposit a bond to certify that your e-mail is legitimate. More info at www.bondedsender.com.

Ironport's website mentions transaction confirmations as one of the uses, and that is certainly legit... when I order stuff online, I like to get an email confirming it, telling me it's been shipped, ect.

There are legitimate advertising emails. I buy alot of electronics, so I regularly get emails from companies I've bought stuff from in the past, and I'm glad I have - they have alerted me to some good sales.

To me, there is a huge difference from me getting an email from Compgeeks, TigerDirect, eCost, or another company that I've bought stuff from (and could opt out of if I want to) and getting emails to BUY DISCOUNT VIAGRA, or MEET CHRISTIAN SINGLES, or the like. If IronPort is doing the former, then that's fine by me. If the companies are using their stuff to do the latter, then there is a problem

Ironport makes a living selling hardware that is used for spamming. What other reason is there for a piece of hardware that can send a half a million pieces of mail per hour? Take a look at their products for yourself. Bye bye SpamCop. You've just been bought by the enemy.

Let me get this straight...these are the same great guys that produce the IP-shifting, filter-thwarting, 1-million-messages-per-hour email delivery appliance? Sounds like they provide tools to spammers, then clean up on the other end with filtering tools and services. But I could be wrong.

> This [habeas.com] sounds like it might actually work.

Oh please. Haiku? I suggest a solution that might have some chance of actually working because the trusted sender pays up first instead of some goofy legal posturing. Run an aggressive filter, and let anything through with a bond, so you don't have to worry about those FP's. Locksmiths already have to post a big bond. Why shouldn't marketers be the same if they want our trust?