Working with Spamhaus
Suresh Ramasubramanian
ops.lists at gmail.com
Wed Jul 29 18:42:19 UTC 2015
Er - a couple of ways
1. If you run a farm of mail servers, something like splunk for your logs is kind of necessary. How difficult is it going to be to trigger a splunk alert on whatever looks like an administrative block? Either by a large provider, or by a DNS block list.
2. You can rsync spamhaus and grep for mentions of your ASN, get ISP feedback loops etc.
On a larger topic - NANOG and M3AAWG (also RIPE and M3AAWG’s summer meeting in Europe) really ought to collocate or at least be back to back in the same city somewhere down the line - maybe with a day’s worth of joint sessions on topics of mutual interest (malware detection and mitigation, DDoS filtering .. there’s a lot going on in M3AAWG that’s not plain old mail or even messaging)
It still won’t solve the larger problem that a lot of routing and DNS folks won’t find it of interest, but well, over the decade ++ I’ve been around M3AAWG I see an ever increasing number of (security focused, mainly) *nog regulars turn up there.
—srs
> On 29-Jul-2015, at 10:37 AM, Bob Evans <bob at FiberInternetCenter.com> wrote:
>
> I see that point - however, spamhaus has become a haus-hold word these
> days and everyone runs into these issues....its not malware or bots we
> block from a network level blackhole. Yet it is basic network operations
> these days to have to deal with someone complaining about their hacked
> mail server is now fixed yet they cant get mail. We usually tell them the
> quickest way is to address spamhaus to get it removed and in parallel also
> move the mail server to a new IP and change the dns and rDNS to the new
> one. It gets us out of having to help with these RBL issues.
>
> When an RBL sends a notice we jump on it and get it to the
> customer...however, they usually dont send us or the customer anything.
More information about the NANOG
mailing list