[182708] in North American Network Operators' Group
Re: Working with Spamhaus
daemon@ATHENA.MIT.EDU (Michael O Holstein)
Thu Jul 30 09:59:58 2015
X-Original-To: nanog@nanog.org
From: Michael O Holstein <michael.holstein@csuohio.edu>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 30 Jul 2015 13:59:55 +0000
In-Reply-To: <55BA27C9.2050907@snovc.com>
Errors-To: nanog-bounces@nanog.org
>If you implement SPF / DKIM / DMARC / ADSP, force your customers to relay
Before we went SaaS with email we had lots of spam problems and we also wen=
t this route .. you must relay through us and authenticate .. postfix along=
with the dkim and policyd milters (and SPF in DNS). The policyd one would =
limit you to X messages in Y hours (per SASL credential), and we would over=
ride it for people that had a specific need. That was very effective at lim=
iting the spam damage. I'm sure your needs are different as a commercial pr=
ovider but we found that hardly anyone sends more than 100 messages a day, =
and 100 spammy messages isn't enough to get you in trouble, as long as it s=
tops there.
We have a /16 where most of our stuff lives and have moved things around a =
bit .. Spamhaus was pretty easy to deal with, as were the other major playe=
rs (MS, Google, AOL, Yahoo) by just filling out their postmaster forms. Bas=
ically you just need to explain how you are fixing the problem and they usu=
ally answer you in less than 24hrs.
The only IP addresses we have that I'd consider permanently tainted are the=
ones we've run TOR exit nodes on. We haven't run TOR in a couple years now=
but those IPs are still blacklisted so many places they are essentially un=
usable in any reliable capacity -- something to keep in mind while crafting=
your TOS.
-Michael Holstein
-Cleveland State University=
