TrustedSource™ - Using Reputation To Protect Your Organization

Today’s spammers are more clever than ever, so today’s reputation systems must be equally sophisticated. An effective reputation system must be dynamic, comprehensive, precise and based on actual enterprise mail traffic in order to keep the spammers from gaining any advantage.

To that end, CipherTrust developed TrustedSource, the most precise and comprehensive reputation system available. TrustedSource keeps enterprises ahead of the spammers in the ongoing battle for the inbox by leveraging intelligence on e-mail senders and the types of e-mail they are sending from over 7000 sensors located in 48 countries worldwide. CipherTrust sees more email sent to enterprises and governments than any other messaging security vendor. What this means is that TrustedSource has more intelligence driving superior accuracy when creating a reputation score.

CipherTrust has integrated IP reputation identities into our IronMail® e-mail security appliances since early 2002 and provides real-time behavior analysis on more than one-third of the world’s enterprise messaging traffic. In many environments, CipherTrust has been able to block 80 percent of connections based purely on reputation data, increasing security levels while maintaining a false positive rate of less than one in one million.

How Does TrustedSource Work?

CipherTrust’s TrustedSource reputation engine helps to characterize the Internet’s messaging traffic and make it understandable and actionable. TrustedSource Message Reputation is particularly effective in identifying spammers who are using image proliferation and manipulation to evade detection. Leveraging the Company’s network of IronMail e-mail security appliances, TrustedSource:

• Analyzes thousands of fingerprints per message including embedded images and attachments.
• Exchanges more than 20 fingerprints for each message with the TrustedSource network.
• Correlates reputations assigned to each identity by intelligently aggregating the global behavioral and sending pattern knowledge available for each.
• Provides real-time data exchange to allow for instantaneous detection of new zombies and new spam outbreaks such image-based spam.
  

Network Effect Working for You

TrustedSource is the first and only reputation system to combine traffic data, whitelists, blacklists and network characteristics with the unparalleled strength of CipherTrust’s global network of over 1600 companies (over 40% of the Fortune 500) and over 7000 total deployments. The result is the most complete reputation system in the industry and the ability to score every IP address across the Internet.

TrustedSource created a profile view of all senders’ behavior based on criteria such as:

• When the sender is seen for the first time
• How much e-mail the sender is responsible for
• Does the sender both send and receive e-mail, or just send e-mails?
• Is the behavior seen intermittent in nature, or more of a continuous pattern?

TrustedSource then utilizes this profile to watch for deviations from expected behavior for any given sender. CipherTrust IronMail appliances report back to TrustedSource on all mail flow they are seeing giving TrustedSource a real-time view of worldwide mail traffic. Any deviations from predicted behavior are picked up by TrustedSource and if a new reputation score is derived for a given sender, that new score is immediately available to all IronMail units in the field.

Stop Zombies and Hackers

Rather than give the benefit of the doubt to unknown or unfamiliar senders, TrustedSource takes a “guilty until proven innocent” approach to reputation scoring. By examining the frequency with which we have seen e-mail activity from a particular IP address and the quality of the sent messages (via IronMail’s Message Profiler), TrustedSource assigns the address a probability of being a spammer or zombie machine that has been taken over by hackers and used to send spam, viruses or other unwanted messages.

Based on information gathered from IronMail units in the field, CipherTrust identified approximately 50 million IP addresses that send approximately 70% of all e-mail on a daily or nearly daily basis. The other 30% comes from IP addresses that have not been previously encountered, and of those messages, over 95% are spam, viruses or other undesirable messages, leading CipherTrust researchers to the conclusion that IP addresses that are encountered for the first time are more than likely zombie machines. CipherTrust typically identifies over 170,000 new zombies a day using this principle.

Constant Feedback

The more unwanted messages IronMail units encounter, the better they get at detecting and stopping them. TrustedSource provides real-time intelligence on sender status to IronMail units in the field. based on continuous feedback from those units on the types of email they are seeing, who the senders are, Message Profiler scores of all inbound email, and more. Creating a cycle of feedback benefits all parties involved (except the spammers) and allows IronMail to achieve the highest level of accuracy in distinguishing the good e-mail from the bad. By tracking sender behavior over time, CipherTrust’s database of sender reputation is constantly growing and being refined.

TrustedSource Portal

This is a free online resource that provides precise information about e-mail sender reputation by domain and IP address. Located at www.TrustedSource.org, the TrustedSource Portal is the only website in the world that provides administrators a view into current and historical reputation and sending patterns of the senders, as well as analytical information such as country of origin, network ownership, and hosts for known senders within each domain. Additionally, the TrustedSource Portal provide a snapshot of global e-mail trends, including a map illustrating country of origin for e-mail attacks, graphs displaying overall e-mail and spam volume trends, CipherTrust’s ZombieMeter, and a snapshot view of e-mail authentication deployments across the internet.