Friday, January 6, 2017

Razor2 "blacklist" .. apparently that's what it is

In my last post about how spam filters realy work, I talked about the use of distributed "black lists" that are use to collaborate on blocking sender's IPs , domains, or content based on some "shared" knowledge.

Most of the "known" blacklists, i.e: services that actually pretty straightforward say that they are blacklisting services, are usually being fed from automated honeypots (aka "spamtraps") to collect their data.

The reason why automated honeypots are used, is because of the huge amount of spam email that is sent each day.  I mean think about it.  there are several billions of emails sent each day, and according to the last statistics by Cisco's SenderBase online email monitoring service, about 85% of email sent is "spam".

That is an amount that is way too much for humans to read and interpret each message, so automated honeypot for "flagging" a sender in a blacklist, and on the other hand giving the senders option to request a removal from the blacklist in case of a false positive exists as well.

And then here comes the Razor2 engine that is used by SpamAssassin, and apparently by a big majority of email filtering platforms.

If you don't know what Razor2 is, let me refer you to some email headers generated by SpamAssassin that will give you a clue what I'm talking about.  If you've seen any of the following:


RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 

RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50%
                          [cf: 100] 

RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 



Then congratulations - You are listed in Razor2's database.. erm.. sorry.. blacklist.

It's funny that Razor2's creators insist that it is not a blacklist.. but a "distributed hash sharing system".
So.. here are some interesting facts to know about Razor2 :


Fact #1 - Razor2 is now owned by CloudMark security

You're probably familiar with CloudMark's IP reputation check tool.  They are huge player in the field of email security / threat protection and of course.. spam filtering.

And it turns out, that they decided to purchase Razor2, and not only that.. but they also host Razor2's main query requesting domain:


Name: discovery.razor.cloudmark.com
Address: 208.83.139.205
Name: discovery.razor.cloudmark.com
Address: 208.83.137.118
Name: discovery.razor.cloudmark.com
Address: 208.83.137.117



Fact #2 - Razor2 is a blacklist

A sender's blacklist, is by its definition - any distributed list of blocked IPs and or sending domains that are used to send spam.. that's exactly what Razor2 is.


Fact #3 - Razor2 do not offer a removal tool

Actually in this aspect, I can understand.  Razor2 tends to be a reputation based system, which means that records are "cleaned" once the offending (spam) traffic has ceased to be sent.  Gmail and many other known email providers seem to work that way as well.



One Unknown fact about Razor2

There's though one aspect of the Razor2 list that remains a mystery, and that is - who feeds this list?

Razor2 have created an Outlook plugin for reporting email to them, apparently it seems to be fed from real humans who get spam messages and then they use this "report" plugin to send the reported has to the Razor2 database.

On the other hand.. a question arises.. how many reports should be sent to them in order to decide that a sender should be blocked?  1 report?   2 report?   10 reports?

And the other question is.. who can guarantee that there's no person who just installed a honeypot with a Razor2 report plugin that just reports any message that arrives to it automatically as it arrives?

Indeed interesting questions that I hope that someone from Razor2 could one day provide the answers to them.

4 comments:

  1. Thanks for the article, I'll not spend more time trying to whitelist any email, so there is no way to send a request removal or similar .. to Razor2 (CloudMark)

    ReplyDelete
  2. Hi,
    if we are listed in this, how long does it take for them to normally delist you and is there a way to speed things up?

    Thanks,
    Dan

    ReplyDelete
    Replies
    1. Hi Dan,

      Razor2 (aka Cloudmark Sender's Intelligence, or CSI) is essentially a reputation based blocklist, they can list the domain name you use in emails (most often) and sometimes even the IP address that you're sending from.

      If they marked your IP address, I believe you can contact them (they have some web-form for sending them de-list requests), as far as the domain - they have no option to remove your domain name from their reputation list, so you'll just have to wait for at least a month or two with it before it will be delisted automatically.

      Delete
  3. How can I check which address from my domain is sending SPAM?

    ReplyDelete