No. UCEProtect is certainly not a decent or any other kind of place to start. The MAAWG BCPs have far more available than one of the worst maintained blacklists that has ever been in existence. If you want FAQs from blocklists - there is much that's available on the spamhaus.org website On Thu, Apr 22, 2010 at 8:24 AM, Franck Martin <franck@genius.com> wrote:
If you have left port 25 open, this is a good place to start.
http://www.uceprotect.net/en/rblcheck.php
I suspect any decent IDS will tell you which machine has weird traffic. I suppose you can put rules based on the IDS result to redirect them to a special web page to tell them, they have to do something.
The main issue, it not to know which machines are hijacked, but to support these machines.
----- Original Message ----- From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "Alex Kamiru" <nderitualex@gmail.com> Cc: nanog@nanog.org Sent: Thursday, 22 April, 2010 1:35:56 PM Subject: Re: Mail Submission Protocol
Log and monitor all that you can. And watch for a large number of IPs logging into an account over a day (over a set limit - even across country - that takes into account "home - blackberry - airport lounge - airport lounge in another country - hotel - RIPE meeting venue" type scenarios).
And especially watch for and/or firewall off logins from areas from where you see particularly high levels of smtp auth abuse / logins to compromised accounts
--srs
2010/4/21 Alex Kamiru <nderitualex@gmail.com>:
Inside customers, we have not changed to force port 587 and authentication for email clients, but the topic has come up in discussions. This won't of course, stop spammers if they are hijacking the users local email client settings.
How best would you stop spammers hijacking local users email clients
-Mike
-- Suresh Ramasubramanian (ops.lists@gmail.com)