IP Address Reputation
By Leo Vegoda
April 5, 2022
Network operators rely on guidance from IP address experts because not all IP addresses used on the Internet are the same. The “reputation” of email senders is especially important because some are malicious users of the system. But identifying “senders” based on their email addresses or the individual IP address of a user presents issues that are unnecessarily complex.
So, for many years, the people who run the Internet’s email systems have rejected messages coming directly from the IP addresses used by home Internet connections. (There were about 1,300,000,000 wired home broadband connections at the end of 2021.) It would be difficult to maintain a database of addresses belonging to responsible users versus people (intentionally or because of virus or botnet infection) sending unsolicited bulk email, phishing, or engaged in other malicious activities.
As a result, we need to send email through dedicated systems and the system administrators use a variety of tools to measure the reputation of that smaller number of systems.
The same approach is used to monitor IP addresses for their reputation on several dimensions. Not only, “should this address be sending email?” but also geographical location, whether an IP address is infected with malware, is involved in stealing others Internet users’ identities, or an open proxy that can be used by miscreants to do any of those things.
Why is IP Reputation Important?
Deploying a new range of IP address space is more complex than just configuring those addresses on equipment and using them on the Internet.
Any significant sized range of addresses will have been used on some other network before. While a transfer to your organization will show up in the Regional Internet Registry or National Internet Registry database, propagating that change through the various types of reputation tracking systems in place is not instant or automatic.
Updating those systems about changes in management, purpose, and geography are important elements in the IP addresses your organization needs.
How IP Reputation is Scored
A sudden transition from one user and purpose to another is less likely to be successful than a careful deployment. Address space in active use immediately before being transferred may be tainted. If it sat fallow for some time before it is more likely not to be on a block list. If you’ll be using the range for the same purpose as the previous registrant, you’ll want to understand what the relevant reputation databases report about it.
Reputation tracking started for addresses that send email and that continues to be important. Good advice on how to start and stay current is available from Mailop, whose community publishes the best practices and hosts a mailing list for advice and discussion.
If your new range of address space was transferred from a different geography and will be used for consumer Internet access you will probably need to contact the companies that manage databases tracking the geographic location of IP address ranges (GeoIP). Most consumer content is licensed for specific markets and these databases help the content distribution networks implement geographic restrictions where they are required by the content owners.
If the address range was previously used in a place where they use different languages than in your region, popular platforms will need to know about the transfer, so they present interfaces using the languages your users prefer.
If you will be using your new address space for a different purpose than in the past, you will need to make sure that reputation systems know about the change, so they don’t characterize your use as unexpected and add your network to lists of blocked addresses. For instance, when an address range previously used for subscriber Internet access is repurposed for cloud servers that are likely to send email, it will need to be removed from various lists. One example is Spamhaus’s Policy Block List, which lists address ranges that should not send email.
Tools to Monitor Reputation
The Brothers WISP publishes a regularly maintained list of GeoIP databases. This is a great resource for consumer ISPs whose address space is rejected by local content distribution services, like video streaming or gaming platforms.
The Spamhaus Project maintains lists networks can use to help them decide whether to block traffic from other networks. Its lists are advisory and can be used in conjunction with other services, sometimes proprietary, to make decisions about whether to accept traffic.
The Cleanup Process
Discover the existing reputation of your new address range at the places that matter for you and update where necessary. Actively search for lists and their importance to your intended purpose. Contact the administrators and let them know about how the address range has changed registrant, and whether its geography or purpose has changed.
This will take time and you will either need to include that time in your deployment plan or manage problems with block lists and other reputation databases as they arise.
About Leo: Leo has been involved with the management of Internet Number Resources at ISPs, the RIPE NCC, and in ICANN’s IANA team. He now provides bespoke services to a number of Internet-space organizations, including Euro-IX and PeeringDB.