CipherTrust e-mail reputation system spots bots

E-mail security company CipherTrust has updated the TrustedSource e-mail reputation system that it claims will make it easier to block spam e-mail by weeding out traffic from "zombie" machines that have been taken over by malicious hackers, the company said Monday.

The latest version of TrustedSource, Version 3.0, integrates data from enterprise e-mail traffic processed by more than 1,600 IronMail e-mail gateways used by CipherTrust customers. The new data allows TrustedSource to create a more accurate e-mail reputation for inbound e-mail, including whether a message originated from one of thousands of infrequent e-mail senders believed to be associated with compromised systems, according to a statement by CipherTrust.

The TrustedSource data is accumulated by the CipherTrust Message Profiler, a component of IronMail appliances that examines e-mail messages. That information is used to create an e-mail reputation that is circulated back to IronPort appliances.

Compared with earlier versions of TrustedSource, Version 3.0 is more dynamic, gathering and analyzing data in real time from IronMail installations, then using that data to calculate mail reputations, said Matt Anthony, director of product marketing at CipherTrust.

The new dynamic reputation system will help spot traffic from "bad senders" such as zombie PCs and new threats without needing specific attack signatures, he said.

Currently TrustedSource has data on about 50 million IP (Internet Protocol) addresses. Analysis of those addresses helped CipherTrust refine its approach to identifying spam, Anthony said.

"We noticed that the number of IP addresses we were monitoring had leveled off at around 50 million, and that around 30 percent of the e-mail we were seeing every day was from IP addresses we've never seen before," he said.

Further analysis showed that around 95 percent of the mail from new IP addresses was malicious, usually from tens of thousands of new zombie machines that TrustedSource identifies each day.

"We found that we could develop a probability of threat, even if we had never seen an IP address before by determining how persistent the IP address is at sending e-mail," Anthony said.

The frequency with which the source IP address sends mail is now one factor used in the TrustedSource service to assign e-mail messages a threat score, causing it to be quarantined, blocked or delivered by the IronMail devices. Other factors are keywords in the message text, whether a spoofed sender address is used, and whether the message has a malicious attachment, he said.

TrustedSource is available Monday as a free update for CipherTrust customers who have purchased maintenance and support.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place