Threat Intelligence Services: IP Reputation

The challenge to keep unwanted network traffic outside the network perimeter is never-ending. Spammers and hackers continually evolve and change their methods to evade traditional perimeter security solutions.

Messaging security vendors can now achieve unprecedented performance and detection levels, blocking zombie traffic before it enters customer networks. Utilizing the world’s most comprehensive email security network—Cyren’s GlobalView™ Cloud—our embedded IP Reputation real-time analysis will:

  • Identify hundreds of thousands of new zombies (compromised accounts and host computers) everyday
  • Continuously track traffic from tens of millions of IP addresses
  • Accurately classify billions of email messages per week in real-time

A global view of reputation

Cyren’s GlobalView Cloud compiles both historical and up-to-the-minute sender reputation data from highly diverse traffic sources in every country, with coverage from managed services and network hardware devices to desktop software. Our patented Recurrent Pattern Detection™ technology automatically aggregates this high-level view of all senders, distinguishing in real time between legitimate corporate senders, valid publishers, zombies, and spammers/malware distributors.

The scale of the ‘zombie’ problem

The following illustrates the scale and scope of the challenge posed by compromised (zombie) host computers:

  • Zombies send 85% of all spam, an estimated 120 billion messages a day
  • Around 200,000-500,000 zombies ‘come alive’ everyday
  • A typical zombie botnet sends up to 1 billion messages in a few hours
  • There are typically 10,000–200,000 zombies in a single botnet
  • 5–10 million zombies are active on any given day

Why use Cyren’s IP Reputation Service?

  • Quickly and easily expand your messaging security solution breadth and value
  • Maintain customer loyalty by improving service levels
  • Improve sales margins by adding solution value
  • Reduce your customers' operational overhead and enable higher throughput for their systems

How it works

A partner device identifies an incoming SMTP connection request. The device then queries IP Reputation for information about the sending IP address. Based on the results from the GlobalView Cloud, the connection is accepted, tempfailed, permfailed, or throttled.


  • Real-time botnet detection—under a minute from start of attack
  • High accuracy assessment based on Cyren’s GlobalView Cloud:
    • 80+ vendor networks, spanning 190 countries
    • Sources: firewalls, messaging appliances, desktop software, xSPs
  • Aggregate attributes: DNS info, geography, dynamic IPs, public RBLs, etc.
  • Decision Manager increases zombie protection, minimizes False Positives:
    • Dynamic time windows for temp—failing and accepting connections
    • Built-in rate limiting
  • Rich data set provided per IP, including:
    • Recommended action: block, throttle, allow
    • IP class—classifies IP into actionable classes
    • IP Risk level—Likelihood of message being unwanted: 0–100
    • Volume and volume spikes
    • Spam ratio and spam ratio spikes
    • Valid bulk data (e.g. newsletters)


  • Supports standard Mail Transfer Agent (MTA) platforms
  • Designed for high-scalability—over 4000 messages/second
  • Multiple deployment options: local daemon for built-in caching and failover (Linux, FreeBSD, Solaris and Windows)
  • HTTP, UDP, and RBL/RBL+ interfaces available
  • Cloud access via UDP—no software installation required
Last updated: 2016