RealTime IT News

Postini Hopes TIN is Solid Gold

Officials at Postini announced Wednesday the launch of its Postini Threat Information Network (PTIN), a real-time blacklist (RBL) they say is completely impartial and provides customers protection from spam, viruses and other threats transferred by email.

To date RBLs have been highly subjective with offenders judged guilty before a hearing; getting your domain off some, like SPEWS or the now-defunct ORBZ, can be even harder, a supplication process where the owner pleads to be taken off the list. While effective, the process has glaring faults like spoofed domains, companies putting their competitors on an RBL or "false positives," which is blocked legitimate email.

PTIN is Postini's solution, the result of years in the email security business and the fourth-largest processor of Internet email (behind AOL, Microsoft and Yahoo!). What they've come up with is a score-based threat board, where source IP addresses are assessed with a score when they fly through a TIN-enabled email server. If they are carrying a known virus or send millions of emails from the same source IP address (which are virtually impossible to spoof, or fake), or send data packets in a denial of service attack , the "score" on that IP address goes down. When suspect or malicious activity on that IP address stops, the score goes up eventually.

"It's like the credit card, if you stop spending your credit limit goes back up," said Bill Glazier, Postini vice president of marketing.

The process, unlike many RBLs, is entirely fact-based. The IP score doesn't go down unless bad files or emails are going through Postini's PTIN, taking the subective nature out of the equation. When the score goes down, the IP address is given a probability its traffic is carrying unsavory information. PTIN updates every 60 seconds, giving providers the most up-to-date information. Ultimately, it's up to the provider to determine whether to kick the IP address off the network.

PTIN runs throughout more than 1,600 enterprise companies throughout the world, the basis of its virus and spam database. The company processes 160 million emails a day through its servers, so the company feels they have the expertise to pull off their own version of the RBL. Having extensive knowledge of the bigger spammers in the world, Postini thinks its developed a tool that blocks them and keeps the innocent types from getting blocked.

The only flaw in PTIN, though there is no real way to prevent it, is the fact the software shuts down spammers and virus makers after the email's already out the door. Spammers have been known to buy a whole network block, using one IP address off that block until it gets shut down then moving on to the next one. Or, in the case of crackers , who take over machines running DSL and email from that IP address.

The most companies can do, Glazier said, is block them after the fact and warn them of their actions; the person or ISP might not realize their computer is compromised.

"We have to be quantitative," Glazier said. "The more you make assumptions, the more you end up creating the same problems you see with the RBLs."

Postini officials expect a lot of interest in their new network security product. PTIN already has its first announced customer, Nokia, which plans to incorporate PTIN and Postini's Anti-Spam Engine into its Message Protector, version 1.3. Nokia has been running a joint project with anti-virus company Trend Micro on its Message Protector for the enterprise since late last year.

"Postini not only understands what spam is, but who the spammers are and how their tactics change on a minute-by-minute basis," said Dave Edwards, senior director, Nokia. "By utilizing this proprietary and highly accurate knowledge base, the Nokia Message Protector email security appliance can provide our customers with a level of intelligence and protection not offered by any other solution."