I use to spend a lot of time blocking hosts and subnets, using IP tables, of malicious providers who would let any tom, dick, and Harry (no pun intended) to host spam hosts/relays on their servers. What I ended up doing is also blocking a lot SMB vendors from sending legitimate emails to users because most SMBs outsource their services without really comprehending the consequences of the provider they choose, this is especially true for low tech industries such as toll and process manufacturing companies, and frankly led to a management nightmare.
There are A LOT more people out there, far greater than just the Googles and Yahoos of the world, and to block IP addresses/subnets without an automated system using definable metric (that usually is enterprise specific), invariably IT will be inundated with complaints about users not receiving legitimate vendor emails. It is much more effective to use existing RBLs, and supplementing it with your own honeypot RBL that uses metrics developed in house that can react to what your organization will consider the critical mass of spam it can take. That, along with the proper training of SA, is perhaps the best defense you can have. Using metric like last seen, total count, and frequency seem to provide the best metrics for me, my private RBL (based on honeypot addresses) can react faster than the big guys, on both ends of the equation (to block and to release), It's not that Google doesn't sometimes land on my RBL, it's that it also drops off fast as they remedy the issue, and the time outs are reached and they drop off my list. > On Feb 14, 2016, at 10:19 PM, Noel Butler <noel.but...@ausics.net> wrote: > > On 15/02/2016 09:02, Reindl Harald wrote: >> Am 14.02.2016 um 23:34 schrieb Noel Butler: >>> On 14/02/2016 01:46, Alex wrote: >>>> rejecting outright at the SMTP level for IPs reaching my honeypots >>>> could be dangerous if not checked. >>> how so? if your honey pots use specific non human used (ever) addresses, >>> then there should never ever be a genuine mail destined for it. >>> I dont care who the connector is, be it foobar.com or gmail.com if they >>> relay it, they are listed, its where spamhaus and I always disagreed, >>> because what they are doing is sending a clear message to spammers to >>> simply "use gmail" to avoid being listed in spamhaus. >>> You are never too big to be stuffed into a dnsbl, there are a number of >>> well known bl's that have been around for over ten years that also take >>> that approach. >> you missed to say that you are the type RBL operator which lists whole >> subnets (in not only personal RBL's) because you don't like specific >> people on mailing-lists > > > Ohh, so you wanna bring this up again in public do you, fine by me... lets > have some history though shall we Harry... > > Most DNSBL's blacklist spam *and* abusive hosts, there is no question about > you spamming, I know you don't and would never do that, but you are/were a > very very aggressively abusive person - this is supported by all those > mailing lists bannings/moderations you've copped over recent years which we > need both hands to count, the listing I placed on you was not just because of > the abuse and blackmailing you leveled at me, but number of complaints we > received also. > > Further more, most people who've had interactions with you over the past > couple of years, espeically those that you've disagreed with also know how > you used to act, and occasionally still come close to, because you think you > are always right and anyone who disagrees with you is the anti christ or > something. > > Ordinarily this does just warrant a /32 listing, however as a system > administrator with access to at least a /24, and evidence of your mailing > list ghost accounts, including at least one I recall from another IP in that > /24 a while back, yes, I took the step to block your /24. > > >> also you don't realize that this don't stop any single mail from a >> list sent by that person but just harms other domains using the SMTP >> server > > I realise a lot more than you think, as I've told you, and told you, and told > you, its up to lists what DNSBL's if any they use, but you are known to, on > the lists youve been moderated on, send abusive messages to recipients > directly since you can't via the lists > so it does have a catching effect of those who use it. > >> so *you* are hardly in the position for education about RBL's since >> you don't care about any collateral damage but only your ego > > You are entitled to your opinion, I care about valid collateral damage, if > you abuse an employers resources and your employers customers are caught up > on it, your employer, if they care, would take appropriate action, it is no > different than blocking a domain for spamming, forcing the host to clean up > its act and get rid of its spamming clients, of course at no time did I wish > to see your employment terminated, just actions reigned in, resulting in > cleaner transmissions, allowing for removal of blocking, just like networks > that clean up spam. > > I have seen you have remarkable behaved yourself in past 6 months compared to > how you used to carry on, your still no saint, but no one including me is > either. > > This list is also off topic and I apologise to Gunther and co for replying to > it on list, but some things needed to be said. No doubt Harry will rant and > rave and carry on trollbaiting me, but I will try with-hold any further > responses since, we are, well and truly OT. > > Have a nice day. > > -- > > > If you have the urge to reply to all rather than reply to list, you best > first read http://members.ausics.net/qwerty/
