Hello All, SpamHaus has done us the favor of blacklisting all of our prefixes due to the issues with handful of IPs from customers we have removed from our network. They are now being unresponsive on helping us get these listings removed and we have a lot of legitimate customers who are no longer able to send email. If anyone has any advice on how to deal with these people. Please let me know here or off list. Thanks!
On 07/28/2015 08:06 PM, Bryan Tong wrote:
Hello All,
SpamHaus has done us the favor of blacklisting all of our prefixes due to the issues with handful of IPs from customers we have removed from our network.
They are now being unresponsive on helping us get these listings removed and we have a lot of legitimate customers who are no longer able to send email.
If anyone has any advice on how to deal with these people. Please let me know here or off list.
Thanks!
When I started work for a Web hosting company as a mail admin, the company had a number or entries in the various blocking lists, including the infamous SPEWS list. Job one was finding out just which customers were causing the listings -- make a list, and check it against terminated accounts. A surprising number of those "dead" accounts were still active in one way or another, so I cleaned them up. (Web hosting clients with removed content, but still-active mail accounts.) I then notified each block list know about the terminated accounts, and the associated IP address. Once I finished that task, I started in on the rest of the accounts. One account I terminated because they were selling spammer DNA -- I personally pulled the plugs on that co-located server. Quite a number of Web sites had exploitable mail-out scripts, so I cleaned them up so outsiders couldn't use those sign-up forms to send arbitrary mail. As I worked through the list, I let the block-list owners know what I was doing. I did *not* request de-listing, by the way. My goal in this phase was to show that I was really doing something. As a consequence, several of the BL operators removed the /21 and /19 level blocks. Oh, did I mention that I got my upstreams to do proper SWIP of the address space, and published an abuse@ address for the address ranges? Some customers were doing bulk mail-outs. I worked with those customers to clean up their mailing lists, to throttle their mails to avoid tripping spam alarms, and to properly set up their programs to react properly to DNR and spam-reject. Those that didn't like my clean-up campaign were referred to management for further action. As part of my work, I became active on NANAE, taking advice from many people as to how to clean up my space. One key factor was that I answered every single abuse mail that came in. Every. single. one. The responses were short, describing the corrective action I took. Most of the time, it was yet another open mail-out script that needed to be fixed. But sometimes I got to write back "the abuser has been terminiated." It took about nine months to clean up all the block-list entries. I was also diligent when new entries would pop up -- get the info as to who, and take care of the problem. Management saw the fruit of my labor in the number and quality of new accounts. Big positive. Notice the parallel between mail operations and network operations. Things go MUCH better when we work with each other. All the DNSBL operators want is to know that spam reports will be handled.
If you implement SPF / DKIM / DMARC / ADSP, force your customers to relay their mail through something you control, and show them you are serious about stopping the spam they may work with you then. Otherwise, they just assume you're a spam house.
If you implement SPF / DKIM / DMARC / ADSP, force your customers to relay
Before we went SaaS with email we had lots of spam problems and we also went this route .. you must relay through us and authenticate .. postfix along with the dkim and policyd milters (and SPF in DNS). The policyd one would limit you to X messages in Y hours (per SASL credential), and we would override it for people that had a specific need. That was very effective at limiting the spam damage. I'm sure your needs are different as a commercial provider but we found that hardly anyone sends more than 100 messages a day, and 100 spammy messages isn't enough to get you in trouble, as long as it stops there. We have a /16 where most of our stuff lives and have moved things around a bit .. Spamhaus was pretty easy to deal with, as were the other major players (MS, Google, AOL, Yahoo) by just filling out their postmaster forms. Basically you just need to explain how you are fixing the problem and they usually answer you in less than 24hrs. The only IP addresses we have that I'd consider permanently tainted are the ones we've run TOR exit nodes on. We haven't run TOR in a couple years now but those IPs are still blacklisted so many places they are essentially unusable in any reliable capacity -- something to keep in mind while crafting your TOS. -Michael Holstein -Cleveland State University
participants (4)
-
Bryan Tong
-
Michael O Holstein
-
Private Sender
-
Stephen Satchell