IronPort's SenderBase Network

IronPort created SenderBase® – the world's largest e-mail traffic monitoring network. SenderBase is an open database, rapidly adopted by more than 75,000 ISPs, corporations and universities. SenderBase processes queries for more than 3 billion messages per day, providing a real-time view into the global volume of mail being sent by any given IP address. SenderBase also measures other parameters such as whether an IP address is an open proxy, if mail receivers are sending spam complaints about the IP address, if its DNS resolves properly and accepts return mail, its country of origin, and its presence on a variety of blacklists.

Over 75,000 organisations participate in the SenderBase Network, enabling the world's largest e-mail traffic monitoring system.

SenderBase collects data from more than ten times the networks of competing reputation monitoring systems. This large volume represents a highly diverse group that includes the largest networks in the world. SenderBase captures data on more than 25% of the world's e-mail traffic, providing a very statistically significant sample size which can accurately detect even low volume mail senders.

IronPort has had more than two years of operational experience managing data quality and integrity. IronPort has developed the Data Quality Engine that assesses the quality of a given data feed by cross correlating multiple different data streams with known references or benchmarks. This system allows SenderBase to access even "dirty" data streams and still derive some value by properly weighting the data according to quality. In addition, periodic data calibrations and manual spot checks are conducted.

The final attribute of an email traffic monitoring system is breadth of data. Looking at a narrow set of data can lead to high false positive rates. For example, volume is a very interesting parameter. High volumes of mail correlate very well with spam. But there are legitimate instances of high volumes, such as senders delivering breaking news alerts. Thus if volume alone was the metric, many legitimate mail streams would be blocked. But when volume is examined in addition to other parameters such as end user complaint data, zombie characteristics and country of origin, a much more accurate conclusion can be drawn. SenderBase examines the broadest set of data in the industry, currently examining more than 50 different parameters about any given IP address.

Find out more at www.senderbase.org and the IronPort Threat Operations Center