Mail server reputation based filtering
In all of history of email spam control or email itself the concept of ranking or reputation has been vital. The sort of assessment of a trustworthiness of an entity is how Google works for search for instance. And this idea has been carried forth in many other applications online.
In the physical world we use authority and trust a lot. We need signature from gazetted officers, we require medically certified professionals and so on. Driving license to drive , like that every mail server must have a good score to be able to send mail to us.
Enforcing this rule for spam control is what sender scoring is all about. It is a simple integer number between 0 and 100. It is not fractional, there is no complex math but the computation and how the score varies over time is complex and not very transparent but it works so we use it.
Sender score is a e-mail server reputation system by Sender score. The email servers that send out spam or featured in RBL or DNSBL blacklists have a very low score and the senders from old trusted domains have a high score.
The score ranges between 0 and 100. Just like a percentage. SpamCheetah rejects mails from senders whose score is less than 70.
Many senders do not have any score and they are considered genuine senders. The score keeps getting recalculated using a worldwide network of detection systems by senderscore.org.
Here is a sample output for you to get started.
senderscore: link-connect addr=184.108.40.206 score=97 $ dig -x 220.127.116.11 ; <<>> DiG 9.16.8-Ubuntu <<>> -x 18.104.22.168 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49586 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;22.214.171.124.in-addr.arpa. IN PTR ;; ANSWER SECTION: 126.96.36.199.in-addr.arpa. 813 IN PTR a27-208.smtp-out.us-west-2.amazonses.com. ;; Query time: 76 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Tue Jul 20 11:28:16 IST 2021 ;; MSG SIZE rcvd: 109 $ dig +short 188.8.131.52.score.senderscore.com 127.0.4.98
The last octet from above line is the score. When the DNS query for score against IP address is constructed the IP octets are reversed.
Sender scoring is very effective in avoiding bad senders just like greylisting or RBL. Since this is also dynamically computed, the accuracy is very high.
Sender score is very low for poorly configured mail servers or open relays. Even a simple misconfiguration can make you a spam source and unless this emergency situation is not immediately redressed your score could drop below the 40 watermark and you often find that nobody accepts mails from you.
An open relay is a mail server that is configured to forward mail to any destination which means you can be used as zombie or bot to forward
UCE/UBE to millions of destinations. Any systems administrator knows it is possible to misconfigure your mail server by making a mistake in the configuration file and voila, within minutes you are bombarded by spam.
In such cases it will take a few weeks after your mail server gains a good acceptable score. So you need not be surprised if you mail ends up in Gmail’s spam folder. This could be one reason for it.
Even without configuring your mail server as open relay there are bogons that bombard you once in a while and try to bring your network down by targeting SMTP port, but in all such cases the attackers go away since their network resources are expensive and they can’t focus on your network for long.
As long as spam is not delivered or sent you are safe anyway. Please note that in such cases your score is not affected. Your score is calculated only based on quality of mails sent by your mail server.
Since Internet is a place where reputation matters be it for Google search SEO or email spam control this measure is yet another that fits the same ideology.
Reputation in many forms have been used to fight spam for over 5 decades now. The sender reputation is what is calculated in RBL lookup but that is usually a yes or no answer, here it is a score and we can tighten our measures or loosen by increasing or decreasing the acceptable score threshold value.
Please note that many mail senders do not have any score assigned and SpamCheetah accepts mails in such cases. In our own experience we found initially we had a score and now we don’t. So in such cases you cannot find out your score.
SpamCheetah uses several methods to fight spam , this is only one of the many tricks. So you have nothing to configure. Just be informed that if your mail is quarantined or dropped then your sending score could be too low. There are many ways to find out your score, this is assigned by Validity Inc. but is free to use.
Sender score based mail filtering is a method of using a DNS assisted sender score value assigned to each mail server. Whereby if the reputation score is low we can safely reject the connection.
SpamCheetah detects bad mail sending IP addresses at the port of entry itself and drops them thereby saving time and resources.
Sender score check happens early on during the connection phase and SMTP dialogue cannot happen without a good score.
These are the factors that determine sending score of a mail sender.By mail sender this could be one of 1000 or so SPF listed mail senders in cloud providers of big mail corporations. The score is computed based on these parameters.
Several security products and public scanners like Shodan are able to assess network behavior. So you have multiple abuse lists like RBL, DNSBL and SURBL and the like.
To be able to obtain high sender scores you may have to consistently stay out of blacklists or RBL and not send campaign mails and have an old reputed domain , as your domain ages your score improves not just for Google but also for email reputation.
This technique is quite simplistic to use and hence may lead to some false positives but at a practical level this is found to be useful and unique to SpamCheetah as other spam control products commercial offerings do not seem to have this.
Just using one filtering method you cannot claim to do your job well, so SpamCheetah employs a variety of methods that work with each other that dovetail one another to deliver a rich end user experience. Sender scoring is one such. In fact if you check your logs or latency graphs you can check the score assigned to each incoming mail sender. Even reputed cloud companies end up having some mail senders that score very poorly and we reject them till they retry from some higher ranking host.
One classic example is the mxtoolbox.com website
Most of their mail servers they use to run diagnostic tests have very poor scores.There are various actions you can take based on scoring like delay the SMTP conversation or greylist based on low score.