IP Reputation and Spam Prevention: Working with Email Providers
Today, spam may not be regarded as the most high-profile concern, but it’s still a serious day-to-day threat. Every month, our users alone have to deal with billions of spam messages. These are also frequently used to deliver malware using attachments or links to malicious sites.
One of the most powerful tools in dealing with spam is IP reputation. This checks the IP address that sent a particular email against addresses that are known to have sent spam messages before. These addresses come both from external sources and internal threat intelligence sources.
IP reputation is necessary because of the large volume of spam messages that all organizations have to deal with. The volume is simply too high to try and filter email based strictly on content and/or included links. IP reputation is able to catch large volumes of spam messages with relatively little resources expended by the organization. This also reduces the load on other security solutions like content and file scanning. Error messages can be sent back so the sender of the email can be informed about the reason why their messages were not accepted.
Many organizations rely on email as a key communications tool. With more and more spam messages arriving in their mailboxes, they are always looking for spam filtering solutions. IP reputation is an excellent solution in this context; the organization’s mail servers check the IP reputation of the sending server during the SMTP handshake. This gives the receiving server an opportunity to reject incoming emails.
Sometimes, however, even legitimate email senders get affected by this. For example, if the server they are using, or the server used by their email provider was flagged for sending spam in the past, then the emails they send may be tagged as spam. In this post, we’ll explain more why this happens, and how email senders can take action.
How do legitimate email senders get tagged as spammers?
There are many more parties involved in email than just “sender” and “recipient”. There are actually multiple “roles” involved, which include the following:
- Email Service Provider (ESP)
- ESP customers
- Security solution providers
- Users of email security solutions
Email service providers are organizations that allow their customers to send large numbers of bulk emails, such as newsletters. ESPs provide a good channel for business owners to be able to communicate with their customers. However, this is also seen by cybercriminals as an opportunity to reach their potential victims. Spammers compromise the account of legitimate email senders or even sign up for the ESP services themselves to abuse it. When this happens and spam messages sent through the ESPs are analyzed by email solutions, the SMTP servers of ESPs can inadvertently end up in IP blacklists.
More often than not though, when an IP address is added to a blacklist, the registered owner is notified. The notification is sent to the contact information available through whois (In many cases, the ESP will be the listed organization here.). This makes it critical for the whois information to be updated, because if an IP is “wrongfully” added to a blacklist because of spammers using the same ESP, the result will be a false positive – when legitimate email servers are flagged as spam senders.
Are your emails being flagged as spam?
If you think your emails are being flagged as spam, the best course of action is to contact the ESP for assistance. The ESPs should serve as the liaison between their customers and security providers with IP reputation technologies. We, for instance, proactively work with various ESPs. In these cases, we provide the information necessary to shut down any abuse to the ESP, so no addresses need to be listed in blacklists and legitimate customers are not affected.
Email remains to be a very effective tool to communicate via the Internet and we find great importance in making sure that it does not get abused for cybercriminal operations.