Introduction to Reputation Systems

Abstract

Paraphrasing Wikipedia, areputation system computes and/or publishes a judgment, often in the form of anumeric score or grade, for a set of objects within a community or domain basedon a collection of opinions from other objects or entities. For example,you may have seen mail or web traffic that had a “low score” and was rejectedby a reputation system. This actually happens quite frequently on the Internetand many people do not know what a reputation system is or how it arrives atits verdict. In this introductory article, I will explain what a reputationsystem is and how it works.

IP- and Domain-based Reputation

There are many different kinds of reputation systems in active use today. Thereare reputation systems that deal with rating the trustworthiness and“spamminess” of individuals, such as the seller ratings at eBay, or theupvote/gold system at Reddit. Additionally, there are systems that rank andrate retail businesses based on user reviews. For this article, we will only befocusing on reputation systems that deal with IP and domain reputation.

In Reputation We Trust

Reputation systems such as these tell you if the IP or domain that you’reaccepting (or about to accept) traffic from is considered trustworthy,untrustworthy, or somewhere in between. It is important to note that areputation system is not intended to tell you if a particular message is spamor not, but rather to assign a degree of trust to its source. Other anti-spamsystems may take this reputation into account when rendering a verdict.Reputation systems themselves are macro; they deal with the behavior oftraffic from the IP or domain.

You Can’t Escape Your Past

It is simple, in theory; reputation systems consider past behavior to bepredictive of future behavior, much like a credit score. If you’ve paid yourbills on time in the past, you’re likely to continue to do so in the future.But remember that a credit score doesn’t consider factors like your level ofeducation, or what kind of car you drive; a PhD with a Mercedes could have alower credit score than a high school graduate with a Yugo. Those factors arenot reliable predictors of your willingness and ability to pay a debt. Onlinereputation systems are much the same — you need to use relevant inputs toreceive a meaningful output. In this context, “meaningful” is dependent on whatis considered bad — systems that are intended to identify IPs or domains thatdisseminate malware will use different inputs than those intended to identifysystems sending email spam.

Choosing what inputs are relevant is a large component of a reliable and usefulreputation score. Some common ones are:

• How old is the domain?
• When and where was the domain registered?
• When was traffic from the domain first observed?
• How many domains have resolved to the IP in a particular quantum of time?
• Do forward and reverse DNS lookups match?
• Has the IP or domain name been recently listed in a blocklist?
• Have any of your systems recently received spam or malware from this IP ormentioning this domain name?
• Does it do what it says on the tin? That is, does mx.example.com sendSMTP traffic? Does

www.example.com answer

• on port TCP/80?
• Are the IPs surrounding this IP good citizens, or is this a badneighborhood? For domains, are other domains owned by the same registrantgood or bad? What about the registrar?
• Is the domain registration information privacy protected?
• Is this IP or domain behaving consistently with how it has behaved in thepast? Has there been a drastic change in volume or in the type of traffic?
• Is the geolocation of the IP in an area known for network malfeasance?
• Is the IP IPv4 or IPv6?
• What ASN does the IP belong to?

Different systems can and do vary greatly in what they find germane, dependingon what they’re trying to accomplish. Most commonly, these and other factorsare weighted according to the creator’s goals and are regularly reviewed forefficacy and false positives. It is not unusual for a single input to becomeless efficacious over time and get switched out for a new, more effectivemetric.

Reputation Front Runners

Some reputation systems make their verdicts publicly known; the most well knownexamples are Cisco’s Senderbase andReturn Path’s Sender Score. Both track domainreputation as well as IP reputation. If you are monitoring your own IPs, achange in Senderbase or Sender Score is definitely worth investigating.Sometimes they can react more quickly to a malware infection than yourabuse@ alias.

Mind Your P’s and Q’s

If you do have an issue, such as a malware infection or a spamming customer orbusiness unit, what can you expect will happen to your reputation? As soon as asensor (a server sharing data with the reputation system) sees your unwanted ormalicious traffic, your reputation score will plummet. It is in your bestinterest to remedy the issue as quickly as possible, but don’t expect yourscore to recover immediately. Just like your credit score doesn’t recoverimmediately if you have a late payment, your reputation score can take time torebuild. It may be tempting to decide you’ll just stop using the IP for awhile, but that will starve the reputation system of new and benevolentinformation to drive out the bad information. Keep the IP in use even though itmay be a bit of a painful process. Additionally, don’t expect a newlycommissioned IP or domain to have a great reputation immediately. On theInternet, new IPs and domains are often considered guilty until proveninnocent. It can take a while for good information to disseminate.

Conclusion

I hope you now understand what reputation systems are, what they do, what kindof data they consume, and how they react to bad information. In the nextarticle, we will talk about what kind of data you can use to build your ownreputation system.

Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.

Read the next part in this series: Building a Reputation System From Available Data