Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Does My IP Address Have a Bad Reputation? And What Do I Do?

Question: I found on Cisco’s Talos blog that my email reputation is “poor.” Apparently my IP address has been sending lots of email. But I haven’t! I have several computing devices: macOS 10.13.4, Windows 8.1 fully updated running Avast Free with weekly scans and a recent boot-time scan; MalwareBytes free with recent full “threat scan.” My wife uses a Chromebook (up-to-date). I use an iPad 2 and an iPhone 7 (both running iOS 11). Sometimes I use older iPhones (a 4S and a 5S). I have no IoT devices other than the router, a Pepwave Surf SOHO MK3. Pepwave says their routers are not affected by VPNFilter. I use a VPN most of the time on my portable devices, even at home. But not the Windows machine. Sometimes my Windows machine slows down, then recovers. My Windows hard drive often runs and runs. Other times, it times out, as expected. My ISP is TimeWarnerCable. I’m surprised they haven’t contacted me. Is there something I can to do detect outgoing traffic (including, but not restricted to, spam)?

I think it’s very unlikely you are sending spam. Possible, sure, but based on your description, you seem to have things well in hand.

It’s important to realize that you are not necessarily your IP address.

It’s also important not to read too much into anyone’s reputation report.

Become a Patron of Ask Leo! and go ad-free!

Reputation report

The Cisco Talos reputation center is an interesting service. Enter an internet IP address and it will tell you an assortment of information about it, including a rough idea of where it is, which ISP owns the IP address, and more.

Here’s a look at the reputation of my own IP address here at home.

IP Reputation Report

You can see that Comcast is my ISP, that the IP address is associated with Redmond, WA (about five miles south of my location), and that my email reputation is “poor”.

Wait. What? Poor?

Yes, my reputation, like yours, is poor.

But it’s nothing to worry about.

Email reputation

If you look more closely at the report, you’ll also see that the Email Volume is 0, and that there’s been no spam sent for the last month. (The same is true for the report sent with the question.)

My interpretation of my “poor” reputation is simply this:

  • Lack of information (i.e., there’s no email recorded as coming from my IP address) is a negative thing.
  • That I’m on a dynamic rather than static IP is a negative thing.
  • That I’m not actually a hosting company, but rather an individual home or small business, is a negative thing.

Looking at it another way, since there’s nothing really good to say about my IP address, the default is to classify it as “poor”. We’ll see why in a moment.

But I do send email

The most confusing thing is that the email volume shown for the last month is zero.

My Email Volume

Trust me, I send email. Between my wife, myself, and others, we send a lot of email.

The difference is that our computers don’t act like mail servers. Email from our computers is sent to exactly one location: our email service provider. When we send email using a program on our computers:

  • The program connects to our email provider using the SMTP settings we’ve configured.
  • It authenticates that we have an account with that email provider.
  • The provider accepts the mail we have to send.
  • The provider then sends each individual message on to its final destination.

(If you use your web browser to send email using webmail services — like Outlook.com, Gmail, Yahoo! Mail, or others — your computer and your IP address aren’t sending email at all. You’re just viewing and interacting with web pages. All the emailing happens on servers belonging to the webmail service.)

As far as reputation services go, you’re not sending email at all — not directly. Your email service provider is doing it for you.

It’s not your IP address (for long)

Unless you’ve made special arrangements with your ISP (which usually involves paying them extra money), your IP address is “dynamic”, which means it changes from time to time.

When you get a new IP address, you inherit the reputation of whoever was using it before you. Depending on how frequently the IP address changes, that could include the reputation of whoever had it before them, and before them, and before them, and so on.

In the world of spam detection and reputation, dynamic IP addresses have poorer reputations because there’s less accountability. Any misbehavior you perform on today’s assigned IP address could be harder to track down if your IP address changes tomorrow.

This is not an issue, though, since you’re not a mail server. You’re sending email to only one location: your email service provider. It’s their reputation that matters. This is why you had to configure your SMTP settings with your account username and password: your email program has to login when sending your email to them for delivery. Your email provider needs to know you’re a customer and not a random spammer. Even if you do start sending spam, they know exactly which account — not IP address — to blame it on.

An email server in your home

If you did, indeed, run your own email server in your own home (or place of business), the reputation of your IP address might come into play. The servers to which your mail server would connect would use that information to help determine whether the email they receive from your server should be classified as spam or blocked altogether.

But you don’t run an email server. At most, you run an email program, like Thunderbird, or Microsoft Office Outlook, or something similar, which is configured to send email through your ISP or other email service provider. It’s their email servers you actually use.

And they’re the ones whose reputation matters.

Why “poor” is good

In 99% of all homes, and probably even most small businesses, email shouldn’t be sent from your IP address directly. It should go through your email service provider or ISP.

If email did start coming directly from your IP address, that could well be a sign of a problem. “Poor” is the right way to characterize the reputation. Any email server receiving email directly from your IP address and not another email server should seriously consider treating it as spam.

And stopping spam is a good thing.

What I do

While all the information about an IP address can be interesting, I ignore the reputation of whatever my currently-assigned home IP address might be. It simply doesn’t apply — especially when the email volume is zero, which is exactly what I’d expect for almost all homes.

If, on the other hand, the email volume was listed as something other than zero, I might look more closely. That could be a sign that malware on my machine was sending email. Even then, I’d reserve judgement and not panic until I understood the situation more clearly.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Video Narration

6 comments on “Why Does My IP Address Have a Bad Reputation? And What Do I Do?”

  1. I am reluctant to even enter my IP Address on the Cisco’s Talos website. Should I be concerned about someone getting my IP Address from that website?

    Reply
    • Mike W: no, it affects you in no way at all. People visiting Cico’s site have no way of connecting Mike W to your IP address. Sleep peacefully tonight.

      Reply
    • There is very little information anyone other than law enforcement officials can get from your IP address. Ever site you visit sees your IP address. In fact I can tell you right now what your IP address is. (or at least, was at the time you posted this comment.) In fact, by the time you read this, your IP address may have changed as it’s not really your IP address. It’s on loan to you from your ISP.
      https://askleo.com/what_can_people_tell_from_my_ip_address/

      Reply
  2. I think I have a “dynamic” IP, since it changes every time I reset my modem. Cisco Talos lists my email volume as 1.5 under the “Last Month” tab; but the IP address I have now was assigned to me only 3 days ago and the Email Volume History shows everything as zero except for a 2.9 volume in 2018-12-26, when I had a different IP. I guess this is one of those cases in which I am inheriting the reputation and the “sins” from the previous user, right?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.