For the past several weeks I’ve been running Sendmail’s latest Sentrion Message Processing Engine (MPE) 4.0, which runs on all of Sendmail’s appliances, with the Sentrion IP Reputation application and Enterprise Anti-spam application (consisting of a policy-driven dual anti-spam engine).
I came up with some exciting results that I wanted to share with everyone. Note that I focused only on inbound message processing for this particular test.
For testing I used the out-of-box IP Reputation categories and actions that ship with Sentrion MPE 4.0; the only change was that I put the internal network IP ranges into the “Internal” class. RBLs are not currently in use.
The results I am seeing from Sentrion’s the Reputation application is fantastic. IP reputation is like a grade. A known good sender IP gets an ‘A’, and definitely compromised IP address that only sends spam gets an ‘F’. Spambots get an F. Known high-volume senders including the “Big name” mail hosting services, who use great AS and AV, get an A.
This is why IP reputation goes beyond the functionality of an RBL approach; it grades good senders as well as bad; and it leaves room for the whole spectrum in between.
Sentrion MPE’s connection control module puts the worst of the senders (the ‘F’ senders) into a category called “blocklist”. Messages from these IPs are simply not allowed in; the SMTP connection is closed before any portion of the message is ever sent.
Now that I’ve explained this …. I’m seeing that 80% of all connections are being blocked by Sentrion’s connection control module upon initial connection, being in the ‘F’ category. I’ve checked around and this seems to be a pretty consistent number not only among Sendmail’s customers but also including other vendors who sell products in this space.
Just think about the implications of this! 80% of all email traffic on the Internet is coming from IP addresses that are compromised, and sending nothing but spam. (Imagine if that bandwidth and computing horsepower was put to good use instead; but that’s another blog.) All other categories – combined – are only 20% of Internet SMTP traffic.
Back to the point; the Sentrion MPE 4.0 IP Reputation application easily blocks the 80% connections that are coming from these compromised IPs. It detects this at the beginning of “envelope” stage, acting on just the source IP address information. And, once detected, the Sentrion even signals the Sentrion firewall to drop subsequent packets from that source for the next X hours.
The Results:
- This has dramatically reduced the bandwidth usage for me; it will do the same for our customers!
- This reduces the number of messages that make it into the door. Fewer messages to be AS and AV scanned; far lower CPU and disk utilization
- Even with the initial 80% discard, 60% of the remaining messages that make it past the IP Reputation are subsequently discarded as identified as spam from Sentrion’s Enterprise Anti-spam application (dual-identified spam).
- For each 100 messages:
- 80 messages are discarded by Sentrion’s IP Reputation application with about 0% system requirements
- 12 messages are discarded by the Enterprise Anti-spam application
- 8 messages proceed as far as Anti-virus and other scanning
Netting all of this out, I am a staunch believer that ALL Sentrion MP, MPV and MPQ customers should be using the Sentrion IP Reputation application. This reduces the number of inbound servers required, protects the customer against the increase in spam, and even reduces the amount of spam that hits users’ inboxes.
With the reduction in number of servers AND the reduction in CPU (hence cooling) requirements – the ROI lets the IP Reputation application pay for itself!
Good day!
Your topic is very interesting for me i’ve been looking any ideas how to send mails and i’m think your ideas is relevant to my needs. Thanks and Keep on sharing, God will bless you more….
Fritz