RealTime IT News

IronPort's Web Reputation Security

By Ed Sutherland

As the computer virus marks its 20th anniversary, one company says traditional e-mail-borne spam is adopting new tactics.

"Eighty to 90 percent of spam now have URLs," said Pat Peterson, vice president of technology at IronPort Systems, a San Bruno, Calif., e-mail security vendor. IronPort today unveiled Web Reputation, extending its Anti-Spam service to compute a trustworthiness score based on Web site behavior.

Creators of spyware and spam phishing threats are "blending e-mail, Web and even IM technologies to find the weak spot in the network."

While new to the Web, the concept of determining reputability for e-mail is becoming increasingly common.

Eighty-four billion e-mails will be sent each day during 2006, of which 33 billion will be spam, according to IDC. While the bulk of the spam problem is nearly under control, the problem is undergoing transformation.

"Spam is looking much more like viruses," Peterson said. Instead of sending billions of spam e-mail messages in hopes a fraction of recipients will respond, phishing and virus writers now try to fool Internet users into clicking a link for malware disguised as well-known e-commerce Web sites.

Instead of going to eBay or Amazon.com, the URL transports victims to a spammer site in Russia, for example, according to the IronPort executive.

The e-mail security sector, filled with competitors ranging from Sophos to Symantec, will be worth $5.5 billion by 2010, according to Ferris Research.

Symantec, which once concentrated solely on fighting viruses, has snapped up several anti-spam companies, including Brightmail and TurnTide, which is a competitor of IronPort.

"We've nearly licked bulk spam," said Peterson. "Technologies designed for 2005 are going to be taxed in 2006. Anti-spam tactics based on filtering out certain phrases can be useless against e-mail that includes only a URL.

"There has been a shift toward the inclusion in spam messages of content that is increasingly malicious," reported the FTC in Dec. 2005 on the effectiveness of the CAN-SPAM Act.

"Spam is looking much more like viruses," according to Peterson. "Phishers and virus writers are relying much more on browser exploits." Microsoft recently released a patch fixing the Windows Metafile Format used by malware authors to infect computers visiting Web sites.

Rather than filtering phrases found in e-mail, IronPort uses its SenderBase Network to monitor Web traffic and track more than 45 parameters to evaluate mail.

"It's just like a credit check, it collects data to calculate a score," Peterson said.

Some of the points IronPort uses to determine a Web site's reputation includes the lifespan of a domain (a site registered just yesterday could be a red flag) and the domain's location.

"Reputation is based on network parameters that are almost impossible to obfuscate," said Peterson.

IronPort envisions it is up against spammers with blocks of thousands of domains they can use and change faster than traditional filters. "To catch a thief, you have to think like a thief."

More than 100,000 sources feed information into SenderBase, including eight of the top 10 largest ISPs. IronPort's C-Series of e-mail security appliances operates on the edge of corporate networks.

The IronPort Web Reputation feature is part of the firm's Context Adaptive Scanning Engine, used by the IronPort Anti-Spam service.