On 07.07.21 22:08, Michael Peddemors via mailop wrote: > Start by including the IP(s) you are discussing ;)
mx-out-01.fh-muenster.de [185.149.214.63] mx-out-02.fh-muenster.de [212.201.120.206] > Compromised accounts are indeed the bane of the responsible > administrator, and as you can see.. the rate limiting systems ARE > essential, you are unlikely to suffer a reputation issue, if only a few > escape (unless they have REALLY bad content, your mail server should not > be processing). Absolutely. That's why we had rate limits in place for different markers: mailcounts each by sender address, authenticated user and client in different time frames. So far this had worked fine. So that other can learn from our mistake: Someone whitelisted the internal Exchange systems from the clients, because they kept triggering the limits, believing they'd get caught by the other markers which they did not. > Encourage transparent 2FA, and options like country auth restrictions, > blocking AUTH from cloud providers/hosting companies known for being a > haven for those types of attacks, (should make a blog post on best > practices for authentication on email servers one day) but.. Please do :) - I have actually thought about limiting AUTH to local networks, because we have VPN available for all clients - which would add another level. But that requires some effort from the "customers" and of course was not well received. It could also be circumvented after a user's credentials were phished. > As you correctly noted, yes.. cleaning up your reputation and getting > off blacklists IS the punishment for not being pro-active on issues like > that. It isn't the blacklist operators fault after all ;) I fully agree. And I've added another self-flagellation by posting here ;) > Most blacklists and reputation services are pretty understanding, if you > clearly communicate, and your email server is for the most part > professionally operated. And remember, be kind to them, they aren't your > enemy, and they probably get more than their fair of yelling and > screaming.. I'd never do anything like that. Especially since it's our fault and I have been doing this long enough to appreciate their work - after all they are my own line of defense too. > Now, having said that.. it is ALWAYS best to follow the posted > procedures for asking for removal, but if it does NOT fix things in say > 48 hours (hard to wait when you have screaming customers I know) then > their are good people on this list and others that can help you, as long > as you show that you already following their SOP for removal. I was able to switch over to other outgoing servers for now, so the customers have extinguished their torches (most of them didn't even notice). I am just confused on how to fix the reputation of those two boxes by sending emails without being able to send emails. Regards Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster University of Applied Sciences Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83-64908 Fax: +49 251 83-64910 E-Mail: b...@fh-muenster.de https://www.fh-muenster.de/dvz/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
