IP Reputation
Level 1
IP Reputation works much like the RBL interface does, in that it uses a black list, but also has a white list for common mail sources. But when used on a SMTP interface and configured for a connection drop, IP Reputation will temporarily fail messages from sources not found on either list. The temporary fail will allow the sending SMTP gateway to retry, and IP Reputation will allow a repeated unknown attempt to pass on to the Antispam filter. As with RBL, the header lines scanned may be limited and specified. (This can be used to skip lines added to the header by a proxy server or other service.)
IP Reputation, RBL, and SPF drop at connection settings are recommended as default. This dumps any incoming message that fails these initial incoming tests, saving bandwidth and performance.
<Insert iprep1>
IP reputation is a service that will allow GWAVA to filter messages based on the sending server's IP address. The type of messages sent from that IP address are tracked and stored so GWAVA knows if the sending server is a likely source of spam.
There are three functions of IP reputation:
1) Blacklist
Much like RBL, a black list is kept of known IP addresses of spammers. SMTP scanner using connection dropping: If a message comes from a blacklisted sender to the SMTP scanner with connection dropping enabled a 5xx level error is returned to the sending server. The 5xx error is returned before the message is even received saving the server from having to do any other tests on the message. This is the most ideal setting. Any scanner using header scanning: If you do not have connection dropping enabled or are not using an SMTP scanner we can still use the blacklist to our advantage. Just like RBL we can scan the header lines of the message for IP addresses and see if any of those hops are on the blacklist. If one of the IPs is on the blacklist the message will follow the rules you assigned to that server (block, quarantine, etc).
2) Greylist
One of the problems using any sort of anti-spam solution is that it is highly reactive. Once a new type of spam message is used there is a little bit of a delay before we can come up with a good way to block it. This is another area where IP reputation can really be useful. Any time we begin to see messages from an IP address we have not seen before a 4xx level error is returned to the sending SMTP server. A 4xx level error means to try again later. 99% of legitamate email servers will in fact try again later and if they do we will let the message pass by the IP reputation service. Usually spammers won't try to send the message again--because of this IP reputation gives you a little bit of protection against zero-day spam or spam we haven't seen before. Note: This feature is only available when using an SMTP scanner with connection dropping turned on
3) Whitelist
One of the side effects of using the greylisting feature is that legitimate sender's mail can be delayed from time to time. To mitigate this there is also a whitelist. The whitelist contains a list of IP addresses from known good senders. This is so that common sources of email won't be delayed by the greylisting feature. Common senders include gmail, yahoo, hotmail, etc. Most of your good mail won't be delayed because it'll already be on the whitelist the first time the messages come in.
By using IP reputation you protect yourself from known spammers and also any new spammers that may pop up. It is highly recommended to use IP reputation with an SMTP scanner with connection dropping enable to take advantage of all its capability.
IP Reputation Setup The GWAVA scanning system can provide signature and IP reputation services to other GWAVA servers in the same network. If a secondary GWAVA server is to provide the interface service, the connection information for that server must be specified via IP address. The default configuration is to have the local host provide the scanning service.
