We recently heard from Engate, which sells spam control technology to service providers and OEMs. It’s based heavily around a proprietary IP reputation database.
The database is built using some unusual and interesting methods. Here are two examples:
- When a message arrives from an unknown IP address, Engate digs into the published DNS information for the address, for the rest of its subnet, and for its domain(s). It makes intelligent guesses about the structure of the source network. It tries to work out which machines are legitimate mail servers (and which have no business making SMTP connections). This allows it to build a list of IP address ranges that could in the future host virus-infected machines that are being remotely controlled by spammers (so-called zombies or bots).
- Engate includes rules for commonly forged domains, such as Hotmail.com and Yahoo.com. Engate already knows which IP address ranges are legal sources for mail sent from these service providers and can block forgeries. However, we expect that these rules will be replaced with SPF or DKIM lookups in the future.
When an Engate filter receives an SMTP connection from a known-bad IP address, it will reject the connection with a standard 5xx error. This error message includes a "magic cookie" — so in case of a false positive, the sender can type the cookie into the subject of the resent message in order to be whitelisted.
While reputation-based filtering alone is not sufficient to filter spam effectively, Engate’s technology seems to have promise for OEMs who wish to add reputation technology into their spam control product, or for service providers who need to reject a large proportion of spam before it reaches their existing, overloaded filters.