RE: Email reputation for inout to IDSs?

["Bourque Daniel" <Daniel.Bourque () loto-quebec com>]

Look at TrustedSource

http://www.trustedsource.org/ 

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Tremaine Lea
Envoyé : 25 novembre 2008 20:32
À : Sanjay R
Cc : Gautam Singaraju; focus-ids () securityfocus com
Objet : Re: Email reputation for inout to IDSs?

Hi Sanjay,

Conversely to your point, IP addresses/email addresses that have poor
reputations due to being a source of UCE/UBE go under heightened
scrutiny or may be blocked based on the implementers policy/preference
for other protocols.

There are a few IPS/IDS solutions out there utilizing email reputation
as part of their solutions, and they primarily get their strength from a
centralized managed db on the part of the vendor supplying the solution.

Cheers,

---

Tremaine Lea
Network Security Consultant
Intrepid ACL
Paranoia for hire

The best way to find out if you can trust somebody is to trust them. -
Ernest Hemingway
On Tue, 2008-11-25 at 21:09 +0530, Sanjay R wrote:
> Hi Gautam:
> My general feeling towards the reputation system is "It is not a
> security mechanism" and it should be proven either by me or by someone
> else in more formal words/way.
> now let us take the scenario that you posed. each email has a
> reputaion value associated with it (magically!!) and IDS should scan
> it based on its reputaion value (in this way, we are anyway defeating
> the very purpose of having IDS). First thing is " what are parameters
> to be used in calculating reputaion?" Another thing is: You must be
> knowing that a virus/worm spread quite randomly (loosly speaking) and
> many emails infacted by a new virus will be having high reputaion
> values and therefore, bypass the IDS ( a case of false negative).
> Let me know if you are not convinced or I have missed something in your views.
> -sanjay
>
> On Tue, Nov 25, 2008 at 12:14 AM, Gautam Singaraju
> <gautam.singaraju () gmail com> wrote:
> > Sanjay,
> >
> > FYI: http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1271716,00.html
> >
> > ---
> > Gautam
> >
> >
> >
> > On Mon, Nov 24, 2008 at 1:24 PM, Gautam Singaraju
> > <gautam.singaraju () gmail com> wrote:
> > > Hi Sanjay,
> > >
> > > I have a hearsay that some commercial products are in fact attempting
> > > this. I understand that inputs from IDSs are being used to 'refine'
> > > email reputation and vice-versa; though I have not seen any numbers
> > > that attempt these.
> > >
> > > The idea is that: IDSs can monitor connections from those senders
> > > closely depending on the reputation (reputation 80 to 100: basic
> > > checks; 50-80 moderate checks; less than 50 extensive checks). The
> > > number of classes and boundaries could be variable. In comparison,
> > > blacklist is just "good/bad".
> > >
> > > I want to test this theory that email reputation could be useful in
> > > more mechanisms that just classifying emails.
> > > ---
> > > Gautam
> > >
> > >
> > >
> > > On Mon, Nov 24, 2008 at 1:10 PM, Sanjay R <2sanjayr () gmail com> wrote:
> > > > Hi Gautam,
> > > > Can you please mention those references that have tried to incorporate
> > > > email reputation systems into an IDS? To me, it appears that this type
> > > > of solutions are more close to creating a "black-list" rather than
> > > > core functionality of IDS i.e detecting an attack (malicious
> > > > activities).
> > > >
> > > > -sanjay
> > > >
> > > > On Sun, Nov 23, 2008 at 6:51 AM, Gautam Singaraju
> > > > <gautam.singaraju () gmail com> wrote:
> > > > > All,
> > > > >
> > > > > I have been working in email reputation system that has computed
> > > > > sender reputations for over an year. I believe that there are couple
> > > > > of efforts to incorporate email reputations into IDSs. Is someone in
> > > > > the group working on this? Are there any IDSs which can be configured
> > > > > to perform extensive analysis for non-reputable senders? I would be
> > > > > interested in sharing this data with other researchers in the group.
> > > > >
> > > > > ---
> > > > > Gautam
> > > > >
> > > > > ------------------------------------------------------------------------
> > > > > Test Your IDS
> > > > >
> > > > > Is your IDS deployed correctly?
> > > > > Find out quickly and easily by testing it
> > > > > with real-world attacks from CORE IMPACT.
> > > > > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > > > > to learn more.
> > > > > ------------------------------------------------------------------------
> > > >
> > > >
> > > >
> > > > --
> > > > Computer Security Learner


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------


Mise en garde concernant la confidentialité : Le présent message, comprenant tout fichier qui y est joint, est envoyé à 
l'intention exclusive de son destinataire; il est de nature confidentielle et peut constituer une information protégée 
par le secret professionnel. Si vous n'êtes pas le destinataire, nous vous avisons que toute impression, copie, 
distribution ou autre utilisation de ce message est strictement interdite. Si vous avez reçu ce courriel par erreur, 
veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer le courriel. Merci! 

Confidentiality Warning: This message, including any attachment, is sent only for the use of the intended recipient; it 
is confidential and may constitute privileged information. If you are not the intended recipient, you are hereby 
notified that any printing, copying, distribution or other use of this message is strictly prohibited. If you have 
received this email in error, please notify the sender immediately by return email, and delete it. Thank you!


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------