What is IP Reputation?

  • Document ID:7019853
  • Creation Date:16-Mar-2009
  • Modified Date:07-Aug-2017
    • Micro Focus Products:
      GWAVA (Secure Messaging Gateway)

Environment

GWAVA 4 117+

Situation

What is IP Reputation? How does IP reputation determine what to do with a message? Answer/

Resolution

IP reputation is a new service added to GWAVA 4 that will allow GWAVA to filter messages based on the sending server's IP address. The type of messages sent from that IP address are tracked and stored so GWAVA knows if the sending server is a likely source of spam. There are three functions of IP reputation: 1) Blacklist
Much like RBL, a black list is kept of known IP addresses of spammers. SMTP scanner using connection dropping: If a message comes from a blacklisted sender to the SMTP scanner with connection dropping enabled a 5xx level error is returned to the sending server. The 5xx error is returned before the message is even received saving the server from having to do any other tests on the message. This is the most ideal setting. Any scanner using header scanning: If you do not have connection dropping enabled or are not using an SMTP scanner we can still use the blacklist to our advantage. Just like RBL we can scan the header lines of the message for IP addresses and see if any of those hops are on the blacklist. If one of the IPs is on the blacklist the message will follow the rules you assigned to that server (block, quarantine, etc).
2) Greylist
One of the problems using any sort of anti-spam solution is that it is highly reactive. Once a new type of spam message is used there is a little bit of a delay before we can come up with a good way to block it. This is another area where IP reputation can really be useful. Any time we begin to see messages from an IP address we have not seen before a 4xx level error is returned to the sending SMTP server. A 4xx level error means to try again later. 99% of legitamate email servers will in fact try again later and if they do we will let the message pass by the IP reputation service. Usually spammers won't try to send the message again--because of this IP reputation gives you a little bit of protection against zero-day spam or spam we haven't seen before. Note:  This feature is only available when using an SMTP scanner with connection dropping turned on
3) Whitelist
One of the side effects of using the greylisting feature is that legitimate sender's mail can be delayed from time to time. To mitigate this there is also a whitelist. The whitelist contains a list of IP addresses from known good senders. This is so that common sources of email won't be delayed by the greylisting feature. Common senders include gmail, yahoo, hotmail, etc. Most of your good mail won't be delayed because it'll already be on the whitelist the first time the messages come in.
By using IP reputation you protect yourself from known spammers and also any new spammers that may pop up. It is highly recommended to use IP reputation with an SMTP scanner with connection dropping enable to take advantage of all its capability.

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 1078.