Managing Your Email Reputation For most companies and organizations, email is the most important means of business communication. The value of email today, however, has been compromised by the rampant growth of threats such as spam, viruses, phishing and more. To protect themselves from these threats, ISP s, enterprises and other network owners rely on reputation systems to apply policies to companies sending email to their network. These policies may include limiting the amount of email any one sender can send or blocking mail from senders with a very poor reputation. Network owners may also use reputation systems to route messages from senders with very good reputations past content-based spam filters in order to reduce the chance of inadvertently discarding legitimate email. As a sender of email, making sure that email you send gets through is your responsibility. Just like your credit score determines whether you can get a loan, your email reputation determines whether your mail gets delivered. This document describes several steps that administrators of outbound mail systems can take to reduce the risk of receiving a negative reputation and having email sent from their network blocked. IronPort s Reputation Filters is one of the most widely used reputation services. Powered by IronPort s SenderBase, the first and leading email traffic monitoring network, IronPort Reputation Filters apply a reputation score to the IP address connecting to the recipient s mail system. In most cases the connecting IP address is the sender s outbound SMTP server, not an end-users PC (the exception is when an end-users system may have been infected by a virus see section 4b below) Unlike reputation systems which rely on subjective analysis to determine a sender s reputation, the SenderBase Reputation Score (SBRS) is based solely on objective data that is statistically correlated with the probability that a message from a given source is legitimate. The SBRS uses an advanced scoring algorithm that combines over 100 of the most important and relevant factors into a single measure of sender reputation. The rest of this page outlines common behaviors that may lead to low reputation scores. Follow the advice below, and you will enjoy the benefits of better deliverability and the trust of receivers. A. How to improve your Email reputation 1) For All Email Senders/Enterprise Senders a. Close open proxies and relays These configurations can allow outside users to route email traffic through your infrastructure, making it appear to the outside world that you are the source of the mail. An open relay is an improperly configured mail server that allows outside users to route messages to recipient addresses managed by a separate network owner. An open proxy is a machine that will forward on connections of many types, including mail messages. The added danger of an open proxy is that the true sender s identity is often completely obscured, so they allow anonymously-sent messages. Frequently, viruses will turn an end user s machine into an open proxy without the owner s knowledge. Using these is a favorite trick of spammers to disguise their identity, and the owner of the open proxy or relay pays the price. You can check for this in a number of ways- among the easiest is to look up your IP address on lists of known offenders at sites like http://openrbl.org/. For advice on closing open proxies and relays, see: http://www.spamcop.net/fom-serve/cache/385.html Page 1 of 6
b. Get off and stay off blacklists Blacklists are lists of domains, hosts, IP addresses or email addresses that have poor reputations. Many receivers use these lists to block access to their networks, so it is essential to monitor the commonly used blacklists for your information. Appearing on a blacklist is often a good indicator that something else has become an issue- contact the blacklist, find out how you can fix the core issue, and you can prevent it in the future. You can check a number of free sites to see if you are listed (see http://openrbl.org/). c. Avoid sending delayed bounce messages to invalid recipients Delayed or non-conversational bounce messages are acknowledged to be a growing problem for email. These bounces occur when organizations have their mail infrastructure configured to accept email messages before deciding they are unwanted and bouncing them. These unwanted messages may include spam or viruses or messages where the end recipient is determined to be invalid after the SMTP conversation. Delayed bounce messages get returned to the sender s MAIL FROM address. Unfortunately, this address is easily forged and is almost always wrong in spam or virus infected messages. The result is that innocent bystanders can be bombarded with bounce messages, while recipient mail servers identify the bounce source (not the original sender) as the source of unwanted email. Rightly or wrongly, this flood of bounce messages is often tagged as spam and can negatively impact the bounce sender s reputation. There are a number of solutions to this problem. The first is to configure your receiving mail server to validate the recipient and perform other checks before accepting a message- this removes any need to send a separate bounce message, and lets the sender know there is a problem. A second possible solution is to implement sender authentication checks, such as SPF, that allow you to test if a MAIL FROM address has been forged before sending a bounce. A third solution is to simply not send delayed bounces at all. Finally, if your company s policy requires that you send bounces and the solutions above are not possible, you should send these bounce messages from a different IP address than the IP address used for other business email. This will allow recipients to block bounce messages while not impacting the reputation of your primary mail server. Your choice of solution will depend on your own situation and accepted mail policies. d. Try to keep stable domain names and IP addresses Spammers jump around on many different IP addresses, IP blocks, and domain names to try and avoid impact of their behavior. Legitimate senders will try to stay with the same sending address and domains for a long period of time so that receivers will grow to know and trust the mail they see from those addresses. Many receivers will treat a brand new sender with skepticism until they have time to prove that they send only trusted mail. e. Maintain up-to-date anti-virus solutions Computer viruses, by definition, propagate and reproduce themselves. If your network is frequently infected, other organizations will be forced to block or restrict your mail to protect themselves. Viruses can convert machines into zombies and turn your network into a massive spam source. Protect yourself with up-to-date AV software. The best solutions include a multi-layered approach with multiple AV vendors and a preventive AV solution to catch new virus outbreaks (see more on IronPort s Virus Outbreak Filters). f. Configure DNS records correctly You should keep your DNS information accurate and up to date. For example, forward and reverse DNS records should resolve correctly for the hostname you are Page 2 of 6
using to send email. (you can confirm this is the case at www.senderbase.org). For a basic check to confirm that your DNS is properly configured, you can also send an email to dnscheck@ironport.com and you'll get an automated report with some basic information on whether your outbound mail server follows DNS practices commonly used by legitimate senders. Senders are also encouraged to publish SPF records to support the Sender-ID initiative (get more information at Microsoft s Sender ID site or at Pobox.com) and help prevent others from fraudulently using your domain name to send email. Senders are also encouraged to sign outbound email using Yahoo! s Domain Keys. g. Segment different types of mail Different types of mail have different levels of importance. Corporate mail and transactional mail are truly mission-critical for most organizations, and even occasional blacklisting cannot be tolerated. Marketing and promotional mail may be controlled by a completely different group and managed through a different process. It is essential that you keep these different mail streams separate and sending over different IP addresses. Without this protection, practices of the email marketing group can impact the daily operations of the entire company. Mailers employing best practices also segment different lists and advertising campaigns to protect communications to their best customers and improve tracking of success rates. 2) For ISPs a. Watch for and control zombie machines The single largest source of spam on the Internet today is from hijacked machines of end users. Viruses can infect unsuspecting users and covert home PCs into spam engines, open proxies used to mask the identity of the real spammers, web servers for phishing attacks, or other nefarious purposes. The rapid growth of residential broadband connections and the convergence of spam and viral threats make this one of the largest issues facing many ISPs. If an ISP allows users to send mail directly to the Internet, it may be especially difficult for them to see when a machine has been infected. IronPort s SenderBase can be a useful tool in this respect; ISPs can find IP addresses within their own network that should not be sending mail. This is a strong indicator of zombie machines on their network. Some ISPs have also implemented IronPort s Reputation Filters to monitor and control outbound mail traffic and in turn protect their reputation as email senders. A useful site to check to see if an individual PC has been compromised is: http://cbl.abuseat.org/ b. Monitor and control users on your network Make sure that you know who is sending out mail from your network. There should be good control over who is authorized to send mail, and monitoring should be in place to track anomalies and large changes. Spammers or other users abusing the network should be tracked and shut down. This type of monitoring should be not only for mail routed through your own mail servers, but also for mail send directly to the Internet from your network. It is everyone s responsibility to make sure their own network is free of these types of senders. Page 3 of 6
3) For Email Advertisers and Marketers a. Implement strong list management practices You should use caution and care before adding names to a list for a mailing. Where did the email addresses come from? What kind of mail exactly should these people reasonably expect to get? You should use EXTREME caution when using any email addresses that your own company did not collect directly- integrating a bad list can do significant damage to your email reputation. b. Make sure to get consent before sending email This is one of the basic principles behind not sending spam- recipients of your mail should want and agree to receive mail from you. There are different levels of consent: o Highest Level- Confirmed Opt-In (or Double Opt-In): In this case, an end user provides an email address affirming that they want to receive email, and immediately gets an email back notifying the end user of the subscription. The end user must take an action (either clicking on a link or returning to a website) to actually begin receiving mail. o Middle Level- Verified Opt-In: an end user provides an email address affirming that they want to receive email, and immediately gets an email back notifying the end user of the subscription. o Minimal Level- Opt-In: an end user provides an email address affirming that they want to receive email. The more strict and rigorous you are about making sure that end users want to receive your mail, you better your email reputation will be. The best email senders will periodically re-confirm their list to make sure that their list is clean. c. Monitor and reduce end user complaints One of the best ways to make sure that you are employing good email practices and managing your reputation is by keeping a close eye on consumer complaints. If you have an excessive number of complaints or experience a sudden spike, it is a good indicator that something needs attention quickly. Usually, it requires some additional investigation to find out why consumers are complaining, but this will definitely pay off in the long run in customer satisfaction and retention. There are a number of sites where you can go to request statistics about your complaints: AOL (http://postmaster.aol.com/tools/fbl.html) is one of the most popular. Even some noncommercial senders may want to take this step to proactively monitor their complaint rates. d. Make it clear who you are and why you are sending mail Again, this is a basic principle of sending legitimate email. Spammers will hide and obfuscate their identity to avoid the backlash of angry recipients of their mail. Make it clear who you are when you send email, and make sure there is an easy way for recipients to get in contact with you. e. Respond to your customers and take complaints seriously This is just a plain good business practice. If you are getting complaints about anything around your email, listen and take them seriously. Even if you are CAN- SPAM compliant, this is no guarantee that people want to receive your mail. f. Process requests to be removed from your mailings lists There must be an easy way for recipients of your mail to stop receiving it if they choose. Honor these requests as quickly as you can. Page 4 of 6
g. Don t overwhelm recipients with mail Different receivers have different policies about how much mail they will accept from senders. If you exceed pre-determined limits at some receivers, they will begin throttling your connections or blocking you mail entirely. You need to be able to monitor this behavior and adjust your sending policies accordingly to make sure that you don t send more than receivers are willing to take- and block up your own queues in the process. h. Process bounces you receive Like unsubscribe requests, bounces are a good sign that there is an email address that should be removed from your list. Some bounces are just temporary problems that will get solved, but continuing to send email to users that no longer exist, for example, will negatively impact your reputation. B. How We Monitor Reputation There a number of different ways that we track email senders in order to determine reputation. Reputation is determined using strictly objective data that is updated in near real-time and statistically correlated with the probability that a message from a given source is legitimate. Absolute values of the parameters below are important, but anomalous changes to email traffic patterns can be the most useful indicator of emerging security threats. Different parameters have different weightings in the reputation system and influence the reputation score for different periods of time. In order to stop the highest percentage of new and fast changing threats, reputation scores will often react quickly downward after threatening behavior is exhibited from an IP address. It will typically take longer for a reputation score to recover after problematic behavior is observed. For example, it may take several days for a score to return to a neutral level after a problem is experienced and then several weeks to return to the original levels prior to the problem. Often the best way to improve a reputation score is to continue to send legitimate email for a sustained period of time. 1. Global Email Sending Volume Patterns in email sending volume are one of the most valuable parameters in determining reputation. For instance, a large amount of volume from a dynamic IP address that has never sent mail before is a possible indicator of zombie behavior. 2. End-User Complaints Feedback from end users is one of the most accurate ways to simultaneously account for a variety of factors. A few complaints are expected, but a high complaint rate is a strong indicator of problems. Many ISPs collect and track complaints from their end users. 3. Spamtrap hits Spamtraps are special email accounts that are not used for any legitimate purpose, and should never receive email. Depending on the type of trap, this can be an indicator of directory harvest attacks, web scraping for email addresses, or other poor list collection practices. A properly implemented confirmed opt-in list should never hit spamtraps, since there is no one to respond to the confirmation requests that get sent to the forged email address. 4. Geographical Information (sender and receiver) The geographic location of senders and their intended recipients also plays a role in profiling patterns of both good and bad email senders. There are not good and bad areas per se, but there is a statistical correlation between location of a sender and the average quality of mail. Current legislation, amount of legal enforcement, and cost of network bandwidth in a country can all impact the type of mail coming from a country or region. Page 5 of 6
5. External Blacklists and Whitelists There are a number of available lists that provide recommendations of good and bad senders. They vary widely in efficacy, accuracy, and response speed; these differences are factored into your reputation score. An entry on a single list is unlikely to severely impact a reputation score on its own. However, in combination with other factors, it can play an important role. An example of a well-managed list used to assign a reputation to an IP address is the Spamhaus Block List (www.spamhaus.org). 6. Open Proxy and Compromised Host Lists There are few (some would argue no) valid reasons for operating an open proxy. There are several ways to detect and track whether a host is an open proxy or has been compromised, including publicly available lists such as NJABL (http://www.njabl.org/). 7. Dynamic IP Lists Many zombies find their targets on dynamic IP address ranges used by consumers. Mail coming directly from these ranges may be legitimate, but is suspect. Most legitimate mail will be relayed through an ISP s outbound mail servers or sent directly from a mail server that uses a static IP address. 8. Whois and Domain Registration Information Information about the responsible party behind an IP address or domain can be very informative. This type of data allows otherwise unrelated addresses to be linked together. Also, maintaining these records helps demonstrate that a sender is open to disclosing his or her identity to someone who wants to know. 9. Sender Authentication Records (e.g., Sender ID, SPF, or Domain Key records) Sender authentication records provide additional information about a sender s identity, allowing email receivers to better detect forgeries, spoofed addresses, and fraudulent mail. If an IP address originates messages using domain names for which it is not authorized, this is a clear point of concern. 10. Identity and Type of Sender Organization Knowing more about the actual organization behind an IP address or a domain and the processes they use to manage their mail infrastructure can also provide insight into the quality of email originating from that IP. Often (but not always) a large company with a well-known brand has a greater interest in managing and controlling the type of outbound email from its infrastructure. Spammers and other creators of email threats aspire to be anonymous in order to avoid being held accountable for the messages they send. Page 6 of 6