[anti-abuse-wg] How to monitor any of my IP range being blacklisted?
Frank Gadegast ripe-anti-spam-wg at powerweb.de
Wed May 2 11:51:34 CEST 2012
Lu Heng wrote: > Hi > Hi, I guess you are also scanning incoming email already with an antispam software and that your are using the rbl's of interest already. We realized that spammer usually also send spam to email addresses captured from outlook address books an the spambotted PC or relay through your mailservers, if they spambotted a PC of your own customer. So: if there is one of your dialin customers PCs captured with a spambot, you will also receive spam from this PC to your other customers email addresses, to the email address of the customer himself or your own mailservers. So: check your own anti spam results for your own IP address range. If your other customers receive spam from your own IPs, or your mailserver relay with an IP of your own IP range and the scoe is very high, you can surely - be sure that your IP will end up on other rbls, if you are not acting quick enough and try a multi rbl list like http://multirbl.valli.org/ to check that IP and fix the rbls, that already list your IP - inform your customer, that his PC is captured and block outgoing smtp for him (we simply change his dial-in password and log him out, if some thresholds are reached ;o) This surely only works, if you have enough dialin customers and enough other customer domains that are receiving mail and works even better, if your customers are using your own mailservers as outgoing mailservers (ok, this only works, if the spambot is not having an own SMTP engine). We automated this and do not have a lot of botted customers, but we find them and turn them off, before the IPs end up on any other RBL. I bet it also works great, if a webspace or housingserver is misused. There are nice spamassassin modules, that insert the AS of the sender IP into the header, so you can easily scan for this header-field. In SA is also a mechanism called ALL_TRUSTED, that inserts this flag, if the user also identified via POP3 oder SMTP-Auth, if you ever receive an email with a very high score and its all ALL_TRUSTED, you can also be sure, that your own customers PC is spambotted. Surely you will not get any rbl listings because of webvertized URLs or the like ... Kind regards, Frank > Does any body now how to monitor all the ranges, to see if they are > black listed, check one by one is not an good idea as an ISP. > > Anybody know a way to check a block of IP like /19 or something. > > Thanks in advance! -- MOTD: "have you enabled SSL on a website or mailbox today ?" -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank at powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ======================================================================