RealTime IT News

IronPort: Time To Turn Tables on Zombies

Anti-spam software and hardware maker IronPort wants to let your reputation speak more clearly for you in the spam realm.

The company has launched its next generation Reputation Filters, which are automatically-generated whitelists that help ISPs identify the zombies in their midst.

IronPort said advances in its reputation filtering software now let Internet service providers squelch spam at its source -- even if the source is their own customers.

Zombies are computers that have been hijacked by spammers -- thanks to Trojan software that unsuspecting users install on their computers. The compromised computer is then used to spew spam. IronPort's SenderBase, a database of information gleaned by monitoring global e-mail traffic, indicates that more than 70 percent of the world's spam volume is originating from unwitting consumer broadband users whose PCs are infected and turned into zombies. These Zombies are most often found in the large IP ranges of consumer broadband ISPs.

IronPort customers already use the two-year-old SenderBase to reduce the volume of incoming e-mail, according to Peter Schlampp, senior director of product management.

"We're reducing the amount of mail that needs to be scanned, based on the reputation of the sender," he said. SenderBase builds a database of acceptable addresses, not unlike the white and black lists maintained by some ISPs. "But it's automatic, constantly updated, and very accurate," Schlampp said.

SenderBase collects data from more than 50,000 ISPs, universities, and corporations that are its customers. It measures more than 50 different parameters, including the global volume of mail being sent by any given sender, and analyzes how long that sender has been sending, whether it accepts mail in return, whether its DNS servers resolve properly, whether it's an open proxy or an open relay, and whether users complaining about spam from its servers.

The data are analyzed in real time and used to develop a reputation score for any given sender on the Internet. This score is made available to the IronPort E-mail Security Appliances used by customers. The appliances can "rate limit" a given sender based on their score. The more suspicious a sender appears, the slower they go.

Instead of cutting off a customer who may be legitimate, Schlampp said, the software lets the ISP throttle down the volume of e-mail.

The second generation of IronPort's Reputation Filtering combines this rate limiting capability with real-time analysis of e-mail traffic patterns. It lets large ISPs identify computer zombie behavior originating within their network and to rate limit or block infected PCs that are sending outbound spam.

"Before a zombie computer's spam goes to the Internet, the ISP will block the spam at the source," Schlampp said. "Since the ISP's customers also contribute data to the SenderBase network, we're getting more zombie information earlier and using it to help all our customers."

IronPort also licenses SenderBase data to the open-source community, where it's been incorporated into anti-spam tools such as Spam Assassin. The move has broadened the SenderBase network even further, Schlampp said.