Think of Karmasphere as the first credit bureau for Internet identities.
Experian, Equifax, and TransUnion do it for consumers. Dun & Bradstreet do it for corporations. Karmasphere do it for the Internet: URLs, IP addresses, domain names, and more.
We offer a "FICO score" that's meant to be used in the context of communications. Suppose you're looking at an incoming email. We can tell you if the sender IP is thought to be a spammer. We can tell you if the URL in the message body is a phishing site. Conversely, we can also tell you if the message really is coming from a Fortune 100 bank, so the message doesn't end up in the spam folder.
You can imagine equivalent scenarios for a VoIP call from an unknown caller; a blog comment from an unknown poster; an incoming instant message from an unrecognized ID.
Like a credit bureau, we obtain data from hundreds of upstream data providers. Like a credit bureau, we crunch the data and produce a single number that represents the risk of a given identity.
Our data providers include many respected names: Spamhaus, Cymru, Lashback, Phishtank, ISIPP, SURBL, TrustE, VeriSign, and many many more. Each source represents a treasure trove of primary spamtrap data, due diligence screening, and painstaking research. We bring together the fruits of that work for convenient access.
Unlike a credit bureau, which offers risk evaluations for commerce, we offer risk evaluations for communications. The typical consumer warrants a credit check a few times a year. We might get queried every time an email is received – billions of times a day. Our infrastructure supports this.
But email is only our starting point. We're staying up to date on new messaging media: our platform supports SIP numbers, Skype IDs, Myspace IDs, AIM screen names, OpenID URLs ... you get the idea. Soon you'll want to discover the reputation of those identifiers too, and we're preparing to meet those needs.
In the spirit of Web 2.0 opensource culture, we make it easy for anyone to publish reputation data. (It could be as simple as uploading your addressbook as a whitelist.) We make it easy to share that data with others. Our vision, and our hope, is to bring about a layer of reputation that the Internet can use to encourage good behavior and discourage bad behavior. This layer would represent the collective wisdom of millions of users. Call it the Karmasphere.
We want to bring accountability to the Internet.
A new generation of technologies, working together, are taming the Internet: identity, authentication, and reputation are making the Internet safer and easier than ever before.
We are the reputation part of the equation. We're an essential part of the accountable future.
If it works, we'll solve spam as a side effect. Not just in email, but in every medium. Spam, phishing, and other forms of abuse are as old as language. The bad news is that they've come to the Internet. The good news is that old problems have old solutions. All we need to do is adapt those solutions to the Internet. Spam and fraud may be permanent problems. Accountability is the permanent solution.
It may be unrealistic to hope to solve abuse 100%; but we believe that reputation makes it possible to fight the bad guys to a standstill, to asymptotically approach the limit. Email experts agree that accountability mechanisms will bring spam well enough under control for most people to truly consider the problems solved.
Even the vendors of first-generation antispam solutions admit that content filtering is reaching the end of the road. All eyes are now on reputation.
We will know we have succeeded when email regains the reliability that it had in, say, 1995: if you sent an email, you knew that it would be received and read, rather than misfiled to a a spam folder and lost. Wouldn't it be nice to live in that world?
We've been using the word "accountability".
Many deep thinkers blame the Internet's problems on easy anonymity and the absence of accountability. We agree: the Internet is our first worldwide civil society, but it has no police force! The traditional model of law enforcement is organized around the concept of jurisdiction, but on the Internet, jurisdiction is more a hindrance than a help. You can chase the bad guys out of your country, but what's the point if they can still reach you online?
With Internet governance still in its infancy, we see a need for private organizations to take a special role in serving civil society. The Internet needs accountability mechanisms. Our corporate mission serves this goal.
Today, in the financial world, responsible borrowers are rewarded with lower interest rates; irresponsible borrowers are punished with high interest rates. There is nothing personal: it is just a matter of risk. A huge and largely invisible infrastructure operates in the background to make credit reporting possible. Without it, the economy would look drastically different ... and poorer.
We want to do the same for the Internet. We believe it is possible to encourage good behaviour online using analogous feedback mechanisms. Doesn't it make sense?.
Now, we're not advocating an "Internet driver's license." On the Internet, nobody knows you're a dog. And that's a good thing: that's the original cyberpunk spirit. We're just trying to add a tiny little bit of persistent metadata: good dog or bad dog? So maybe it's not true anonymity; it's pseudonymity. If you've got a handle, reputation will accrue. As for newly-minted handles claiming to have no history at all ... well, you can decide for yourself how you feel about that.
Not directly. Our brand may never appear in front of a million eyeballs. Like the people we gather data from, and like many of the partners we offer our technology and services to, we operate at the infrastructure level, deep in the network, close to the MTAs and proxies that route messages on behalf of the end user.
A browser plugin might reach millions of eyeballs, and we might be the "Intel Inside" that powers the plugin; but again, chances are the plugin will be branded something other than Karmasphere.
Crudely, the model looks like this: Data flows one way. Fees flow the other. Karmasphere takes a cut.
Upstream data sources dump data into Karmasphere. We crunch the data and use it to answer queries from downstream customers.
We license the Karmasphere package of data services and platform technologies to downstream OEM vendors, ISPs, security product manufacturers, data warehouses with specialized needs, and so on. These fees cover the cost of developing the system, operating the infrastructure, keeping the lights on, and feeding the staff.
Fees from paying customers also go toward compensating commercial upstream data providers. Some data providers charge money for their data, and we act as a reseller for them.
Many data providers do not charge money. They are motivated by altruism: they work to benefit the Internet. Everybody loves them, and so do we. We try to benefit them by acting as a distributed mirror; we reduce their bandwidth and hardware costs, and make it much easier to share their opinions with the industry. Before the age of Flickr, if you wanted to share your pictures, you had to bring up a web server on a connected host somewhere and cobble together some photogallery software. Today, anyone can just upload JPGs without knowing or caring where they're physically hosted. We do the same for reputation data.
The reputation ecosystem is young but complex.
We occupy the role of "reputation aggregator" in the following diagram:
Our job is to make life easier for everybody. Stop reinventing the wheel! We aggregate hundreds of data sources so subscribers don't have to query each one individually. We offer hosting, distribution, and accounting so publishers can focus on what they do best. After all, when you buy vegetables, you go to the market, not to the farm. Karmasphere is that marketplace.
We understand very well the unglamorous side of maintaining a production DNSBL: bandwidth, mirrors, CPU and disk, not to mention DDOSes and complaints. We want to make your lives easier.
If you're a DNSBL that we don't already syndicate, think of us as a large and reliable mirror. We spent two years building a replication architecture for reputation data: rsync+rbldnsd on steroids, the antispam industry's version of Akamai. By moving our clusters close to the MTAs that do the queries, we reduce query latency. By constantly pushing the data into those clusters, we reduce replication latency. You get the best of both worlds.
Lots of people are coming out of the woodwork and publishing into Karmasphere. We evaluate the feeds on a regular basis; if any are particularly good, we may even add them to our starting-point feedsets!
We wrote a lot of client plugins. We'd like people to take them for a test drive and let us know how they're doing; and if you want to contribute documentation, bugfixes, new features, etc, we would be very happy. Send us patches and we'll probably send you subversion access.
Also, we're always hungry for new sources of data. if you can publish a useful IP blacklist, great. If you can publish a domain whitelist, even better! How's this for an ambitious goal: if we identify all the good senders, we can stop caring about the bad guys. Can you help?
The karmasphere-users mailing list is where it all happens.
You probably use a handful of DNSBLs today. You may subscribe to one or two commercial providers like MAPS/Kelkea/Trend Micro. You may also bring in data from nonprofit providers. Two heads are better than one, but each new source represents a significant setup burden. The dozens and hundreds of new sources on the horizon are tempting, but there just aren't enough hours in the day to evaluate, much less bring online, most of them.
We solve that problem: we're a one-stop shop for reputation. If you install Karmasphere you will immediately get the benefit of the majority of reputation sources out there. If a new reputation source appears, we'll add it to the system, and you don't have to lift a finger. If an existing data provider goes away, we'll take it out of the system and automatically update our feedsets. We save you the trouble of reconfiguring production systems or bringing local caches up and down.
IronPort's SenderBase and CipherTrust's TrustedSource are examples of reputation systems.
With reputation, you can cut your bandwidth and CPU footprint way down. Reject or throttle SMTP connections at the edge, based on the reputation of the sender IP, without doing any data exchange. Or test the reputation of the RFC2821 envelope sender before the DATA payload; this lets you reject spam without ever having to look at the message content. With the rise of image stock spams, you know how useful this is. Conversely, you can whitelist good senders and significantly reduce false positives – the only thing worse than a spam that got through is a ham that didn't.
You could build a reputation system, or you could buy one from us. Where SenderBase and TrustedSource are proprietary, closed systems that reflect the world from a single vendor's point of view, Karmasphere offers a whole array of independent reputation systems, bundled into a single convenient package with extraordinary coverage.
Karmasphere aims to be the dominant provider of third-party reputation services to the antispam industry. We go beyond IP reputation: we include domain reputation, sourced from best-of-breed data partners like TrustE and VeriSign, and we have URL reputation from folks like Phishtank and URIBL.
If you have already developed your own internal reputation database, we can integrate that legacy data into our datastreams so you get the best of both worlds.
Contact us to discuss partnerships today!
It's a good thing we designed our platform for maximum flexibility. A surprising number of industry organizations told us they are looking for a venue to host private data sharing projects ... and we fit the bill.
If you're looking for a secure, anonymous, private, realtime data aggregation service, we can have you up and running in less time than you'll take to write the RFP.
Please join the karmasphere-users mailing list to discuss requirements, or contact us directly.