Tuesday, December 4, 2007

IronPort SMTP Mail Gateways



We have implemented IronPort devices and dumped our legacy SMTP gateways. I am truly impressed with IronPort performance, heads up no wonder it is called IronPort. I had to prepare a little summary sheet for IronPort and decided to share here with you all

IronPort is capable of performing following

IP reputation is called reputation Filtering ( checks the sender IP reputation).The Sender Base Reputation Service provides an accurate, flexible way for users to reject or throttle suspected spam based on the connecting IP address of the remote host.

On SMTP hand Shake Iron, port is also capable of performing,

  • RBL List (Real Time Block List)
  • IP Reputation
  • RDNS Check (Reverse DNS check to make sure, sender is coming from domain)
  • Domain reputation
  • Sender Base Reputation Service (SBRS) Score

The Sender Base Reputation Service (SBRS) score is a numeric value assigned to an IP address based on information from the Sender Base Reputation Service. The Sender Base Reputation Service aggregates data from over 25 public blacklists and open proxy lists, and combines this data with global data from Sender Base to assign a score from -10.0 to +10.0, as follows:

Score

Meaning

-10.0

Most likely to be a source of spam

0

Neutral, or not enough information to make a recommendation

+10.0

Most likely to be a trustworthy sender


The lower (more negative) the score, the more likely that a message is spam. A score of -10.0, means that this message is "guaranteed" to be spam, while a score of 10.0 means that the message is "guaranteed" to be legitimate.

How Does IronPort identifies Spam?

IronPort Anti-Spam filtering is based on Context Adaptive Scanning Engine (CASE) ™, and is the first anti-spam scanning engine to combine email and web reputation information following areas.

  • Eliminate the broadest range of email threats — detect spam, "phishing," zombie-based Attacks, and other "blended" threats.
    Deliver the highest accuracy — anti-spam rules based on email and web reputation from Sender Base Reputation Service.
  • Offer ease of use — due to reduced hardware and administrative costs. Deliver industry leading performance — CASE uses dynamic early exit criteria and off-box network calculations to deliver breakthrough performance.
  • Address the needs of international users — IronPort Anti-Spam is tuned to deliver industry-leading efficacy world-wide IronPort Anti-Spam filtering is based on Context Adaptive Scanning Engine (CASE) ™, and is the first anti-spam scanning engine to combine email and web reputation information to: Eliminate the broadest range of email threats — detect spam, "phishing," zombie-based attacks, and other "blended" threats.
    Deliver the highest accuracy — anti-spam rules based on email and web reputation from
  • Sender Base Reputation Service. Offer ease of use — due to reduced hardware and administrative costs. Deliver industry-leading performance — CASE uses dynamic early exit criteria and off-box network calculations to deliver breakthrough performance. Address the needs of international users IronPort Anti-Spam is tuned to deliver industry-leading efficacy world-wide
  • IronPort designed IronPort Anti-Spam from the ground up to detect the broadest range of email threats. IronPort Anti-Spam addresses a full range of known threats including spam, phishing and zombie attacks, as well as hard-to-detect low volume, short-lived email threats such as "419" scams. In addition, IronPort Anti-Spam identifies new and evolving blended threats such as spam attacks distributing malicious content through a download URL or an executable. To identify these threats, IronPort Anti-Spam uses the industry's most complete approach to threat detection, examining the full context of a message-its content, methods of message construction, the reputation of the sender, and the reputation of web sites advertised in the message and more.
  • Only IronPort Anti-Spam combines the power of email and web reputation data, leveraging the full power of the world's largest email and web traffic monitoring network — Sender Base — to detect new attacks as soon as they begin.

    Lowest False Positive Rate

    IronPort Anti-Spam and IronPort Virus Outbreak Filters are powered by IronPort's patent-pending Context Adaptive Scanning Engine (CASE) ™. CASE provides breakthrough accuracy and performance by analyzing over 100,000 message attributes across four dimensions:


    • Email reputation — who is sending you this message?
    • Message content — what content is included in this message?
    • Message structure — how was this message constructed?
    • Web reputation — where does the call to action take you?

Analyzing multi-dimensional relationships allows CASE to catch a broad range of threat while maintaining exceptional accuracy. For example, a message that has content claiming to be from a legitimate financial institution but that is sent from an IP address on a consumer broadband network or that contains a URL hosted on a "zombie" PC will be viewed as suspicious. In contrast, a message coming from a pharmaceutical company with a positive reputation will not be tagged as spam even if the message contains words closely correlated with spam.

Best,

Oz ozugurlu

5 comments:

Oz Ozugurlu said...

Special Thanks to John Nguyen IronPort engineer, for great assistance in the implementation process, which was seamless
best
oz

Anonymous said...

IronPort/Senderbase.org have a big flaw.

Getting a "poor" reputation is like getting on the terrorist watch list - it's not clear how you got on, and it's not clear how you get off.

It can be a *BIG* problem since you will not be able to get email through to your most valued clients.

Take a look at the SenderBase.org website, and try to figure out how to understand the basis of a "low" score. It's opaque. Eventually, you find the email address, "support@senderbase.org", but that email address has a reputation for being a blackhole. I even tried calling the company, but could only reach the folks at IronPort, who simply suggest you email the blackhole, and provide a not-my-problem man... response.

Cisco, the parent company, as well as IronPort and SenderBase.org need to provide a clear and quick mechanism to:

1.) understand the basis that you have been assigned a "poor" reputation.

2.) Provide a mechanism to get you back to normal within hours, not days or weeks.

If they fix that problem, it could be a great solution, but right now, it really bites.

And for that reason, I would ask you to share that concern if you are talking to the sales folks, and let them know IF they can fix this issue, you will consider buying.

But don't buy it till they fix this problem!!

-- An innocent victim of SenderBase.org

Oz Ozugurlu said...

If you consider out of 12 or 16 can’t remember major ISP runs by IronPort (85 percent) you will notice the e-mail on entire US runs through IronPort systems
We deploy IronPort for most of our clients, as well as DC Government, which requires most of the time high security. The IronPort company itself has great reputation and I have never seen or witnesses them stopping legit e-mail.
Any place we deploy Iron port , we get rock solid mail service and high quality, their devices never failed us so far within 5 years, not even one single one.
From experience dealing with IronPort is awesome

--oz

Anonymous said...

Cisco, the parent company, as well as IronPort and SenderBase.org need to provide a clear and quick mechanism to:

1.) understand the basis that you have been assigned a "poor" reputation.

2.) Provide a mechanism to get you back to normal within hours, not days or weeks.
Agreed, the lack of transparency is almost criminal. Big brother Cisco is watching!

-- Another innocent victim of SenderBase.org

Anonymous said...

I agree with that senderbase needs to let us:

1.) understand the basis that you have been assigned a "poor" reputation.

2.) Provide a mechanism to get you back to normal within hours, not days or weeks.Agreed, the lack of transparency is almost criminal.

We are having this issue with senderbase for weeks now and it still hasn't been resolved. Emailed them multiple times with no response.

-Yet another victim of senderbase