IronPort’s Web Reputation Security

By Ed Sutherland

As the computer virus marks its 20th anniversary, one company says
traditional e-mail-borne spam is adopting new tactics.

“Eighty to 90 percent
of spam now have URLs,” said Pat Peterson, vice president of technology
at IronPort Systems, a San Bruno, Calif., e-mail security vendor. IronPort
today unveiled Web Reputation, extending its Anti-Spam service to compute
a trustworthiness score based on Web site behavior.

Creators of spyware and spam phishing threats are “blending e-mail, Web and even IM technologies to find the weak spot in the network.”

While new to the Web, the concept of determining reputability for
e-mail is becoming increasingly common.

Eighty-four billion e-mails will be sent each day during 2006, of which 33
billion will be spam, according to IDC. While the bulk of the spam problem is
nearly under control, the problem is undergoing transformation.

“Spam is looking much more like viruses,” Peterson said. Instead of
sending billions of spam e-mail messages in hopes a fraction of
recipients will respond, phishing and virus writers now try to fool
Internet users into clicking a link for malware disguised as well-known
e-commerce Web sites.

Instead of going to eBay or, the URL
transports victims to a spammer site in Russia, for example, according
to the IronPort executive.

The e-mail security sector, filled with competitors ranging from
Sophos to Symantec, will be worth $5.5 billion by 2010, according to Ferris

Symantec, which once concentrated solely on fighting viruses, has
snapped up several anti-spam companies, including Brightmail and
TurnTide, which is a competitor of IronPort.

“We’ve nearly licked bulk spam,” said Peterson. “Technologies
designed for 2005 are going to be taxed in 2006. Anti-spam tactics based
on filtering out certain phrases can be useless against e-mail that
includes only a URL.

“There has been a shift toward the inclusion in spam messages of
content that is increasingly malicious,” reported the FTC in Dec. 2005
on the effectiveness of the CAN-SPAM Act.

“Spam is looking much more like viruses,” according to Peterson.
“Phishers and virus writers are relying much more on browser exploits.”
Microsoft recently released a patch fixing the Windows Metafile Format
used by malware authors to infect computers visiting Web sites.

Rather than filtering phrases found in e-mail, IronPort uses its
SenderBase Network to monitor Web traffic and track more than 45
parameters to evaluate mail.

“It’s just like a credit check, it collects
data to calculate a score,” Peterson said.

Some of the points IronPort uses to determine a Web site’s reputation
includes the lifespan of a domain (a site registered just yesterday
could be a red flag) and the domain’s location.

“Reputation is based on
network parameters that are almost impossible to obfuscate,” said

IronPort envisions it is up against spammers with blocks of
thousands of domains they can use and change faster than traditional
filters. “To catch a thief, you have to think like a thief.”

More than 100,000 sources feed information into SenderBase, including
eight of the top 10 largest ISPs. IronPort’s C-Series of e-mail security
appliances operates on the edge of corporate networks.

The IronPort Web Reputation feature is part of the firm’s Context
Adaptive Scanning Engine, used by the IronPort Anti-Spam service.

News Around the Web