WatchGuard Technologies, Inc.

Go Up How do I clear my history?
Having your information recorded by our reputation service does not mean you will have problems sending email. Unlike most reputation services, WatchGuard ReputationAuthority takes both good and bad mail into account. If your reputation is Neutral (a value of 58) or lower you will not have problems. This reputation value will change based on your behavior. If the observations uploaded to ReputationAuthority cause the reputation to increase by more than 8 percent, you will be provided with the option to clear your history on our Reputation Lookup page. Note that a reputation may be above 58 based on additional data (such as third-party DNS Block Lists), but the option to clear will still not be provided if the uploaded data is not significant enough.

Clearing the history does not remove your IP address or whitelist it. Your reputation will continue to change based on subsequent observed behavior of messages originating from your address.
Go Up I am just trying to send mail, I am not a spammer.
It is possible that your mail is routing through a system that has sent a large amount of undesired mail, and some of our customers are choosing to block all mail from that system. In most cases, you do not have any other choice but to send through that system (generally it is the SMTP server your ISP or company provides). We suggest you contact the support person or administrator of your SMTP server, and provide the URL you received in the mail that bounced back to you, such as http://reputationauthority.org/lookup?ip=xxx where xxx is the IP address of your SMTP server. In the event that it is urgent and you cannot get a response from them, you can clear the reputation history.
Go Up Does your service monitor Domain or IP information?
The ReputationAuthority monitors both Domain and IP information. It monitors overall behavior for every active IP address and, in addition, the behavior for any domain that sends from each IP address. If you enter data in the Domain field you will be given statistics for the domain within the one IP address, and not the domain in general. The net reputation value will be shown for the domain originating from the IP address. Not all domains need to be monitored and the system may not have any information for a domain from within an IP address.
Go Up What is the difference between "Domain" behavior and "IP reputation"?
Domain behavior measures the behavior of each different sender's domain at each IP address. For example, if user@example1.com sends email from the same server as user2@example2.com, the behavior of those two domains will be tracked separately for that IP address. Subsequent mail sent from the same IP address from example1.com will be compared to the history for example1.com only, and not affected by behavior from example2.com. If there is insufficient observed data for example1.com, the domain reputation will be averaged with the overall IP reputation.

Go Up Can you remove our IP from your blacklist or, alternatively, whitelist our server?
The ReputationAuthority provides a reputation score for each IP address to our customers. It is based on automated anti-spam and anti-virus analysis of data sent previously from the IP address to our WatchGuard XCS customers. This information is uploaded automatically by the servers to the ReputationAuthority and is not based on customer opinions. This uploaded information is augmented by consulting DNS block lists (DNSBLs).

Within a reputation service, IP addresses remain on the list forever, regardless of the score. They do not get blocked unless the reputation is currently above a certain threshold. Reputations range from 0 (excellent) to 50 (neutral) to 100 (bad). A reputation for one IP address moves closer to a "bad" level if the past behavior (based on results of email scanning) has been predominantly poor. If the IP address is listed on one or more DNSBLs, this also affect the reputation. If the behavior has been good it will improve the score. Customers can reject messages at various thresholds, typically 70, 90 or 99. Other customers do not block at all based on ReputationAuthority data.

You can clear the upload history to return the reputation to a neutral (50) status at http://reputationauthority.org/lookup?ip=xxx where xxx is the IP address of your MTA (SMTP server). You will be emailed a link to clear the reputation history. It will also show why it is listed (what systems detected spam and when) that is causing a poor reputation. Note this does not affect DNSBL listings or their effect on the reputation. In some cases we do not offer the ability to clear the history. In this case our customers have observed predominantly good behavior, and clearing the history would adversely affect the reputation.

When your IP is listed on a DNSBL you must clear it with that organization. Links are provided at the URL mentioned previously. WatchGuard cannot contact the DNSBL on your behalf, nor can we obtain information on why you were listed.
Go Up This is not a dynamic IP or, Our reputation is ok, why are we blocked?
Some customers also reject all dynamic IP's (such as Dial-Up Lines[DUL]) regardless of their reputation. These are IP addresses that can change, such as those used by most cable modem and phone modem systems that obtain leased IP addresses that can change. The DUL status is listed at the URL mentioned previously. If you feel your IP is listed as dynamic but it is static, you must contact the link provided. We cannot help change that status.
Go Up We run a well maintained, secure server. Your system is in error. We are not on any other DNSBL, you must be wrong. We do not spam.
We readily believe that your server is well maintained and we know good mail comes from your system. This is true for almost everyone that contacts us. But bad things do happen to secure systems, and one little issue can have a greater effect. It is not uncommon that we notice a problem with your system first.

For the reputation to get to a level where it gets rejected by some customers, there has to be a lot of evidence for multiple contributing sites, and the total amount of undesired mail has to be a majority. A reputation of 70 or more always has a strong reason. During the process of clearing the history you are provided with information supporting the claims. It is surprisingly common to get blocked - it can happen to most systems sooner or later.

It is not unusual that an IP address has a poor reputation but is not on another DNSBL. Our service has some unique aspects, in terms of detection abilities and also the speed with which it adapts to observed behavior. We have thousands of IP's at any moment that are in this category.
Go Up Our mailing lists are sent to people that have subscribed.
In most cases, we are counting true spam messages sent because of an exploit or abuse that is not a reflection of your mailing list service. Legitimate bulk mail does not normally trigger a spam rating with our system, and a few false positives will not get the reputation to a reject level. Please examine the information in the email sent to you, as it will probably reveal an unexpected issue.
Go Up We want more information, such as full headers of the messages.
Please review the information provided when clearing the history first. It shows partial IP addresses that received mail, the date/time, and the scanning result. Most administrators can utilize these with careful searches of their log files to find the problem. This is more information than most DNSBLs will provide. As we get only summary information from our customers, we cannot obtain or provide detailed information without their involvement, which costs effort and time. We would only do this in exceptional circumstances.
Go Up We do not agree with counting Non-Delivery Report (NDR) mail as spam.
NDR spam is a deliberate use of backscatter spam where spammers relay mail by sending to unknown users at your site, using forged senders that are their actual targets, and relying on your mail system to bounce the mail to the forged sender with the original message body. Although it is not an open relay, from the spammers point of view it is a relay because the message gets delivered. This method of spamming is so common today that it has become necessary to rework the bounce mechanism. There are three solutions people commonly choose:

1) Reject unknown users when they are provided to your system, instead of accepting and bouncing the message. There are many solutions for various mailers available (often employing LDAP user lookups). This solution has the added advantage that other forms of backscatter do not clog outbound mail queues.

2) Do not put the original email in the bounced message body. This removes the spammer's incentive, and even if they do not stop bouncing mail off your system for many months, the mail that arrives at our customers is generally not detected as spam. This is often used as a temporary measure.

3) Purchase a commercial MTA such as the WatchGuard XCS appliance which offer solutions for this issue and many other exploits.
Go Up Why do you count NDR mail as spam?
NDR mail with spam in the body is spam according to our customers, and according to the anti-spam features. It has to be treated as spam, even though it is an RFC compliant mail that originates from your MTA.
Go Up We run a smart relay host, and we have to relay spam.
Our customers that use your service can identify your IP address as an allowed relay. This means they will not report your IP as the source of any mail. Please contact either the IP's listed in the Clear History process, or if that does not reveal the problem, contact us. Our customer support can request this on your behalf.
Go Up Can you notify me before the reputation gets to a reject level?
Yes, you can sign up for ReputationAuthority alerts. It is an effective tool that allows you to quickly notify administrators of potential issues.
Go Up Do you count non work-related email as spam?
No. It is a primary goal of any anti-spam system not to flag personal email, whether it is condoned or not. Our customer systems have no idea if your site has a policy against personal mail.
Go Up Your system indicates a Directory Harvest attack. Why?
Some of our customers upload information about mail received for unknown and known users. If a large percentage is unknown, we report it as a directory harvest attack (DHA). You may not be deliberately doing so, but the mail coming from your system could be feeding back to spammers through an exploit. In some cases, a poor ratio is just an indicator of spammers who are very sloppy - they have poorly maintained lists of email addresses. Sometimes they are deliberately attempting to determine what addresses are valid. This can be performed through a compromised network, and in effect you may be helping them in their effort.
Go Up Does your system only count spam and clean mail?
The ReputationAuthority receives information on spam, viruses, malformed, known and unknown recipients, and other metrics. Reputations are computed from a combination of this data and third-party DNSBL information.
Go Up Do WatchGuard customers receive special treatment on ReputationAuthority? Do you whitelist anyone? Can a reputation be bought?
No. WatchGuard customers are not automatically whitelisted in the ReputationAuthority system. All IP addresses and domains are treated equally by ReputationAuthority, and are scored using the same criteria. WatchGuard customers are not automatically whitelisted in the ReputationAuthority system.
Go Up Is there a limit on the number of times we can clear the reputation history?
Yes. We offer the Clear History feature to help you while you figure out the problem but we will not allow it indefinitely. There is a limit per IP address and also a limit per person.
Go Up How do I contact support?
If you have already cleared your reputation history, and still require support (or wish to send us your feedback), you may contact ReputationAuthority support. You should receive a response within 24 hours.

ReputationAuthority

Has your reputation been compromised?
Check your Domain/IP behavior score.
Enter IP address or Domain