Hi Sanjay, Conversely to your point, IP addresses/email addresses that have poor reputations due to being a source of UCE/UBE go under heightened scrutiny or may be blocked based on the implementers policy/preference for other protocols.
There are a few IPS/IDS solutions out there utilizing email reputation as part of their solutions, and they primarily get their strength from a centralized managed db on the part of the vendor supplying the solution. Cheers, --- Tremaine Lea Network Security Consultant Intrepid ACL Paranoia for hire The best way to find out if you can trust somebody is to trust them. - Ernest Hemingway On Tue, 2008-11-25 at 21:09 +0530, Sanjay R wrote: > Hi Gautam: > My general feeling towards the reputation system is "It is not a > security mechanism" and it should be proven either by me or by someone > else in more formal words/way. > now let us take the scenario that you posed. each email has a > reputaion value associated with it (magically!!) and IDS should scan > it based on its reputaion value (in this way, we are anyway defeating > the very purpose of having IDS). First thing is " what are parameters > to be used in calculating reputaion?" Another thing is: You must be > knowing that a virus/worm spread quite randomly (loosly speaking) and > many emails infacted by a new virus will be having high reputaion > values and therefore, bypass the IDS ( a case of false negative). > Let me know if you are not convinced or I have missed something in your views. > -sanjay > > On Tue, Nov 25, 2008 at 12:14 AM, Gautam Singaraju > <[EMAIL PROTECTED]> wrote: > > Sanjay, > > > > FYI: > > http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1271716,00.html > > > > --- > > Gautam > > > > > > > > On Mon, Nov 24, 2008 at 1:24 PM, Gautam Singaraju > > <[EMAIL PROTECTED]> wrote: > >> Hi Sanjay, > >> > >> I have a hearsay that some commercial products are in fact attempting > >> this. I understand that inputs from IDSs are being used to 'refine' > >> email reputation and vice-versa; though I have not seen any numbers > >> that attempt these. > >> > >> The idea is that: IDSs can monitor connections from those senders > >> closely depending on the reputation (reputation 80 to 100: basic > >> checks; 50-80 moderate checks; less than 50 extensive checks). The > >> number of classes and boundaries could be variable. In comparison, > >> blacklist is just "good/bad". > >> > >> I want to test this theory that email reputation could be useful in > >> more mechanisms that just classifying emails. > >> --- > >> Gautam > >> > >> > >> > >> On Mon, Nov 24, 2008 at 1:10 PM, Sanjay R <[EMAIL PROTECTED]> wrote: > >>> Hi Gautam, > >>> Can you please mention those references that have tried to incorporate > >>> email reputation systems into an IDS? To me, it appears that this type > >>> of solutions are more close to creating a "black-list" rather than > >>> core functionality of IDS i.e detecting an attack (malicious > >>> activities). > >>> > >>> -sanjay > >>> > >>> On Sun, Nov 23, 2008 at 6:51 AM, Gautam Singaraju > >>> <[EMAIL PROTECTED]> wrote: > >>>> All, > >>>> > >>>> I have been working in email reputation system that has computed > >>>> sender reputations for over an year. I believe that there are couple > >>>> of efforts to incorporate email reputations into IDSs. Is someone in > >>>> the group working on this? Are there any IDSs which can be configured > >>>> to perform extensive analysis for non-reputable senders? I would be > >>>> interested in sharing this data with other researchers in the group. > >>>> > >>>> --- > >>>> Gautam > >>>> > >>>> ------------------------------------------------------------------------ > >>>> Test Your IDS > >>>> > >>>> Is your IDS deployed correctly? > >>>> Find out quickly and easily by testing it > >>>> with real-world attacks from CORE IMPACT. > >>>> Go to > >>>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > >>>> to learn more. > >>>> ------------------------------------------------------------------------ > >>>> > >>>> > >>> > >>> > >>> > >>> -- > >>> Computer Security Learner > >>> > >> > > > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
