Home / Blogs

The Death of IP Based Reputation

Laura Atkins

Back in the dark ages of email delivery the only thing that really mattered to get your email into the inbox was having a good IP reputation. If your IP sent good mail most of the time, then that mail got into the inbox and all was well with the world. All that mattered was that good IP reputation. Even better for the people who wanted to game the system and get their spam into the inbox, there were many ways to get around IP reputation.

Every time the ISPs and spam filtering companies would work out a way to block spam using IP addresses, spammers would figure out a way around the problem. ISPs started blocking IPs so spammers moved to open relays. Filters started blocking open relays, so spammers moved to open proxies. Filters started blocking mail open proxies so spammers created botnets. Filters started blocking botnets, so spammers started stealing IP reputation by compromising ESP and ISP user accounts. Filters were constantly playing catchup with the next new method of getting a good IP reputation, while still sending spam.

While spammers were adapting and subverting IP based filtering a number of other things were happening. Many smart people in the email space were looking at improving authentication technology. SPF was the beginning, but problems with SPF led to Domains Keys and DKIM. Now we're even seeing protocols (DMARC) layered on top of DKIM. Additionally, the price of data storage and processing got cheaper and data mining software got better.

The improvement in processing power, data mining and data storage made it actually feasible for ISPs and filtering companies to analyze content at standard email delivery speeds. Since all IPv4 addresses are now allocated, most companies are planning for mail services to migrate to IPv6. There are too many IPv6 IPs to rely on IP reputation for delivery decisions.

What this means is that in the modern email filtering system, IPs are only a portion of the information filters look at when making delivery decisions. Now, filters look at the overall content of the email, including images and URLs. Many filters are even following URLs to confirm the landing pages aren't hosting malicious software, or isn't content that's been blocked before. Some filters are looking at DNS entries like nameservers and seeing if those nameservers are associated with bad mail. That's even before we get to the user feedback, in the form of "this is spam" or "this is not spam" clicks, which now seem to affect both content, domain and IP reputation.

I don't expect IP reputation to become a complete non-issue. I think it's still valuable data for ISPs and filters to evaluate as part of the delivery decision process. That being said, IP reputation is so much less a guiding factor in good email delivery than it was 3 or 4 years ago. Just having an IP with a great reputation is not sufficient for inbox delivery. You have to have a good IP reputation and good content and good URLs.

Anyone who wants good email delivery should consider their IP reputation, but only as one piece of the delivery strategy. Focusing on a great IP reputation will not guarantee good inbox delivery. Look at the whole program, not just a small part of it.

By Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise. More blog posts from Laura Atkins can also be read here.

Related topics: Email, IP Addressing, IPv6, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Except that SMTP operators closed off open Norman Miller  –  Jul 15, 2013 1:38 PM PST

Except that SMTP operators closed off open access, as did proxy operators; which led to a spate of unsolicited, forged "from Microsoft" email purporting to offer system updates which were actually bots. Then ISPs started closing off outbound port 25 access to their (usually technologically naive) residential customers.

The escalations were largely based on spammer abuse of resources not theirs to use, and the defensive measures taken by resource owners. Stating that such defensive measures "caused" the creation of botnets and account compromise is like stating that the use of locks caused the rise in number of B&E crimes.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Non-English "IDN Email" Addresses Are Finally Working!

Dyn Adds Chris Griffiths As New VP of Labs

A Look Inside Dyn's 1.2 Billion Monthly Email Delivery Statistics

IP Geolocation: Four Reasons It Beats the Alternatives

Dyn to Host Email Analytics Webinar With Ongage

Dyn Adds Claudia Santoro, Dave Connors and Andrew Sullivan to Technical Team

Nominum Releases New Security Intelligence Application

New Nixu NameSurfer 7.3 Series Powers the Software-Defined Data Centre

Dyn Receives $38M Investment from North Bridge

New Nixu Solution Slashes Cloud Application Delivery Times from Weeks to Milliseconds

Domain Name Registrations Pass 233 Million in the First Quarter Of 2012

Automate IPAM Set-up with Nixu NEE 1.3 Series

Nominum selected as 2012 AlwaysOn Global 250 Top Private Company

Streamline Application Delivery Processes with Nixu NameSurfer 7.2.2

Nominum Releases New Version of Carrier-Grade DHCP Software for Telecom Providers

Nominum Survey of World's Leading ISPs Shows Nearly 60% of ISPs Plan to Roll-Out IPv6 by End of 2012

Frontline and Nominum Deliver Integrated DNS-Based Platform to Enhance Enterprise Security

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

Sponsored Topics

Afilias

DNSSEC

Sponsored by
Afilias
dotMobi

Mobile

Sponsored by
dotMobi
Verisign

Security

Sponsored by
Verisign
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines