Esva Labs maintains a number of reputation services that are used by the Libra Esva email security appliances.
This is the list of reputation services that are currently deployed and maintained:
- Phishing Site Database
- URI Sandbox
- Graymailing Sender Reputation Database
- Malware Domains Database (includes phishing sites and compromised sites)
Libraesva makes such reputation IOCs (Indicators Of Compromise) available to third parties for free in a format that is compatible to tools like minemeld. Interested parties need to subscribe to the service (for free). Use this form to request access.
Phishing site database
It is composed of a blacklist of known phishing sites, a list of suspected phishing sites and a whitelist of safe sites.
The Libra Esva email security appliances, when configured, add a warning to links to suspect phishing sites and blocks emails with links to blacklisted phishing sites.
See the manual for instructions on how to change phishing settings in Libra Esva.
The URI Sandbox service is available to all Libra Esva appliances starting with version 4.0.
It is composed of an URL rewriting module residing on Libra Esva appliances and of a web service that analyzes in real time the content of the target web page as soon as the user clicks on the link.
See this article on our knowledge base for details on how this service works.
Graymailing sender reputation database
This is a service based on a plugin running on the Libra Esva appliances that queries in real time the Esva Labs DNS blocklist to get reputation information about the reputation of the sender domain and ip address.
The output of this module is a score that is added to all the other anti-spam scores and therefore contributes to the final score for the analyzed email.
The Esva Labs DNS blocklist contains both domains and ip classes, each entry is assigned a category (black, grey, white) based on the type of traffic.
The target of this service is to penalize gray (advertising) email traffic.
The administrator of a Libra Esva appliance can enable or disable this module on a domain basis.
Malware domains database
The list is populated by domains detected by our URI Sandbox service (currently about 50% of the blocked URLs are unknown to any other public malware domain source) and by public sources which are processed and cleaned-up in order to avoid false positives.
We also have strict expiration policies which are crucial especially for compromised sites (which are legit sites that are being abused). De-listing such sites when they are cleaned up is important in order to minimize the false positive rate.
It is easy to block a lot of threats accepting many false positives, it is easy to have zero false positives letting slip through many threats. The challenge is to minimize false positives and at the same time being very effective in blocking known and unknown threats. This is our target.
Fresh domains database
The list is populated by domains registered recently. The list is splitted into three different groups: domains registered within the last 7 days, in the last 14 days and in the last 28 days.
The list is automatically kept up-to-date with the current domains being registered already listed domains are re-categorized according to their age.
Fresh domains are frequently used to deliver spam, phishing and malware.
Our reputation services gather many different inputs:
- Our collaborative false-positive and false-negative reporting system (see the manual for more information). Systems administrators can submit samples of emails that deliver spam/phishing/malware/virus, such samples are analyzed in real time by our analysts. This blend of human expertise and information automation is one of the main contributors for adjusting reputation levels in all of our reputation services.
- Public information processing. We query a number of public services to get information about domains, IP classes, public white and black lists. We programmatically correlate all the available information to provide a reliable contribution to the reputation score.
- In addition to the previous information sources, heuristics on web site behavior are run every time our URI sandbox is activated. the target of these heuristic checks is to detect dangerous content even when it is not already known. The system learns from the heuristics and, learning the relationships between sites and domains, calculates an accurate website reputation score.
- Detectors and spamtraps. We also use these traditional methods even though they are becoming less important every day.
Blacklist lookup tool
This lookup tool checks to see if an IP address or a domain you enter is currently listed in the live Libraesva blacklists.
We provide a way to request and adjustment of our reputations scores.
If you believe that your website or domain or ip class has been wrongly penalized, you can file a removal request to ask for a review.
Removal requests are usually analyzed within 24 hours. Multiple requests will be ignored.
Request access to the Indicators Of Compromise
The Idicators Of Compromise (IOCs) described above are available to third parties who wish to use them. The access if free (no fee required) but we require interested parties to register in order to access the service.