[182688] in North American Network Operators' Group
Re: Working with Spamhaus
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Wed Jul 29 14:42:23 2015
X-Original-To: nanog@nanog.org
From: Suresh Ramasubramanian <ops.lists@gmail.com>
In-Reply-To: <7c0000ab2a8a16efd3a46d7e24efa9ea.squirrel@66.201.44.180>
Date: Wed, 29 Jul 2015 11:42:19 -0700
To: bob@FiberInternetCenter.com
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Er - a couple of ways
1. If you run a farm of mail servers, something like splunk for your =
logs is kind of necessary. How difficult is it going to be to trigger a =
splunk alert on whatever looks like an administrative block? Either by =
a large provider, or by a DNS block list.
2. You can rsync spamhaus and grep for mentions of your ASN, get ISP =
feedback loops etc.
On a larger topic - NANOG and M3AAWG (also RIPE and M3AAWG=E2=80=99s =
summer meeting in Europe) really ought to collocate or at least be back =
to back in the same city somewhere down the line - maybe with a day=E2=80=99=
s worth of joint sessions on topics of mutual interest (malware =
detection and mitigation, DDoS filtering .. there=E2=80=99s a lot going =
on in M3AAWG that=E2=80=99s not plain old mail or even messaging)
It still won=E2=80=99t solve the larger problem that a lot of routing =
and DNS folks won=E2=80=99t find it of interest, but well, over the =
decade ++ I=E2=80=99ve been around M3AAWG I see an ever increasing =
number of (security focused, mainly) *nog regulars turn up there.
=E2=80=94srs
> On 29-Jul-2015, at 10:37 AM, Bob Evans <bob@FiberInternetCenter.com> =
wrote:
>=20
> I see that point - however, spamhaus has become a haus-hold word these
> days and everyone runs into these issues....its not malware or bots we
> block from a network level blackhole. Yet it is basic network =
operations
> these days to have to deal with someone complaining about their hacked
> mail server is now fixed yet they cant get mail. We usually tell them =
the
> quickest way is to address spamhaus to get it removed and in parallel =
also
> move the mail server to a new IP and change the dns and rDNS to the =
new
> one. It gets us out of having to help with these RBL issues.
>=20
> When an RBL sends a notice we jump on it and get it to the
> customer...however, they usually dont send us or the customer =
anything.
