Locally-Maintained Reputation

In response to yesterday's blog post, Cisco DE Jim Fenton* wrote:

reputation can be locally-maintained. Local reputation is not as powerful as shared reputation services, but does provide benefit in the short term.

Yes, that's right. Local domain reputation is often expressed in terms of whitelists and blacklists. Without sender authentication, these are notoriously unreliable.

It nicely illustrates one of the benefits of authentication.

For example, users of anti-spam filters sometimes find their colleagues' email in the quarantine, so they add a wildcard whitelist entry for their domain. They soon discover that a significant chunk of spam will have their domain forged into the sender address. Without sender authentication, there's not a lot can be done about this.

However, with sender authentication, you can have a whitelisted domain entry that only allows the message a free pass if the authentication passes -- otherwise the normal spam filtering rules apply.

You could even impose a local policy that says if a message "from" our domain fails authentication, we'll reject it as spam, but this is probably too risky, at least in the early stages of deployment.

* - well, they claimed to be "Jim Fenton" and I assume it's that Jim, but perhaps it was a dog

More About Why Cisco Bought IronPort

As I mentioned last week, Cisco bought IronPort for $830 million.

Clearly IronPort's reputation data is part of the prize for Cisco. Perhaps also, the PostX email encryption technology will possibly be useful (IronPort bought PostX last year). Perhaps some enhanced competition for Identum and Voltage? Alternatively, I fear that Cisco may let this stuff wither on the vine -- PostX customers should be concerned and watch closely.

An interesting question is what will happen (if anything) with SpamCop. IronPort deliberately ran SpamCop at arm's length as a matter of policy. It's not clear whether Cisco will maintain that policy. SpamCop is of course part of the raw data feeding into IronPort's reputation database, along with the data phoned home by the IronPort boxes.

As we saw with the BlackSpider acquisition by SurfControl, spam control companies that aggregate lots of data about spam sources are valuable, for reasons in addition to spam control. For example, if a zombie is sending spam, it's also probably a potential source of other bad stuff, such as worms and distributed denial of service attacks.

See also: my roundup of blogger reaction to this story in Friday's IT Blowatch.

Anti-Spam Market Consolidation Continues -- Cisco Buys IronPort

Today, Cisco announced that it has acquired IronPort Systems for $830m in cash and stock.

Cisco is of course well-known for its "growth by acquisition" strategy, and was notably lacking in solutions for email hygiene. It makes sense for it to buy an appliance vendor.

IronPort and Ciphertrust have been the appliance market leaders for some time (albeit challenged by the appliances launched by large, conventional software vendors such as Sophos and Symantec). Ciphertrust was of course bought by Secure Computing in 2006, thus leaving Cisco with an obvious choice.

Will we look back at 2007 as the year of spam control market consolidation? We've certainly seen some significant M&A activity in previous years, but there's still plenty of scope for your vendor to be acquired or run out of VC money.

[Edit: it's now officially $830m, not $850m as I was originally advised by IronPort]