In a world of increasing SPAM, IP reputation has become a must-know statistic if you want to be able to send an email to a customer, prospect or even grandma. So if you are running an ISP, as we are, maintaining a good IP reputation isn’t some nice frill that makes you feel good, it’s a necessity. The problem is, no one wants to tell you what the reputation is. Sure, you can monitor the hundreds of various block lists out there, and probably should, but that only tells you when the IP’s reputation has reached a critical low. Luckily, most big email providers are turning to ReturnPath their spam complaints, feedback loops, and all those other tedious tasks that need handling when dealing with customer level email delivery. This places ReturnPath in a unique position where they can monitor, generate, and, more importantly, display the IP reputations of our IPs.
And so they do. Enter SenderScore.
When you plug in a random IP address into SenderScore, say 65.54.190.91 (bay0-omc2-s16.bay0.hotmail.com, a hotmail SMTP server), you get a page that looks like so:
This gives us a plethora of information (Jefe, do you know what a plethora is?). First, it gives us the Sender Score itself, in this case 78. 100 is perfect, so this gets a C+. Not good, but not horrible either. There is a bunch of other info too, but the trackable and important ones are found in the Reputation Measures. This table shows us the components of what makes up our Sender Score.
You can see an explanation of these numbers on the SenderScore FAQ page, but for convenience, here they are:
- Complaints: This score represents how complaints about that IP address compare to all other IP addresses observed by the Sender Score Reputation Network. Complaint rates are calculated as complaints divided by accepted mail and complaint scores are a rank based on your complaint rates.
- Volume: Volume is not in itself good or bad, but is an important part of the overall reputation algorithm: for example, an IP address which sends 100 messages and receives 99 complaints is problematic, while an IP address which sends 100,000 messages and receives 99 complaints is probably okay. A higher score equates to larger volume monitored by the Sender Score Reputation Network.
- External Reputation: This score shows how the IP address compares to all other IP addresses seen by the Sender Score Reputation Network on a variety of external blacklists and whitelists.
- Unknown Users: This score represents the rank of the IP address’s unknown user rate compared to all other IP addresses seen by the Sender Score Reputation Network. Unknown user rates are taken directly from incoming SMTP logs of participating ISPs, tracking how often an IP address attempts to send a message to an address which does not exist.
- Rejected: This represents how often messages are rejected (bounced due to some policy reason, usually spam filtering or blacklisting) compared to other IP addresses seen in the Sender Score Reputation Network.
Now this is all great, but when you have 60,000 IPs, entering them in one at a time into this site is not feasible. We can screen scrape it, but that will only work until they change their layout. There is another option. A better option.
For those familiar with how DNSBLs work, this will be very familiar. For those that aren’t, this is pretty easy to pick up. The creators of black lists needed a fast, reliable, existing API methodology for finding out if an IP address is blacklisted or not. Usually this was taking place while one server was waiting for another, so it had to be very quick. They chose the DNS architecture since it is very good at finding IP listings quickly. Here is how you query it.
- Take the IP address and reverse it. Our example 65.54.190.91 becomes 91.190.54.65. (why we do this goes beyond the scope of this article, sorry.)
- Add the DNS zone to the end. There are 5 DNS zones that SenderScore has, at least that I know of. They are:
- cmplt.rating.senderscore.com (our example becomes 91.190.54.65.cmplt.rating.senderscore.com) used to find the Complaint Index
- filtered.rating.senderscore.com (our example becomes 91.190.54.65.filtered.rating.senderscore.com) used to find the Filtered Index
- score.senderscore.com (our example becomes 91.190.54.65.score.senderscore.com) used to find the SenderScore itself
- uus.rating.senderscore.com (our example becomes 91.190.54.65.uus.rating.senderscore.com) used to find the Unknown User Index
- vol.rating.senderscore.com (our example becomes 91.190.54.65.vol.rating.senderscore.com) used to find the Volume Index
- Now do a normal DNS query on those “hosts”:
- -bash-3.2# host 91.190.54.65.cmplt.rating.senderscore.com
91.190.54.65.cmplt.rating.senderscore.com has address 127.0.4.97 - -bash-3.2# host 91.190.54.65.filtered.rating.senderscore.com
91.190.54.65.filtered.rating.senderscore.com has address 127.0.2.8 - -bash-3.2# host 91.190.54.65.score.senderscore.com
91.190.54.65.score.senderscore.com has address 127.0.4.78 - -bash-3.2# host 91.190.54.65.uus.rating.senderscore.com
91.190.54.65.uus.rating.senderscore.com has address 127.0.3.84 - -bash-3.2# host 91.190.54.65.vol.rating.senderscore.com
91.190.54.65.vol.rating.senderscore.com has address 127.0.1.100
The last number of the return “IP” is the value you are looking for.
- -bash-3.2# host 91.190.54.65.cmplt.rating.senderscore.com
So there you have it. Most any language that I know of has the ability to do NS lookups, so just extract the last number, store it in a database and track it!
Pingback: Monitor your IPs with SenderScore automatically. | High Speed Web Blog | IP address.co.uk