[c-nsp] SMTP

Drew Weaver drew.weaver at thenap.com
Mon Mar 15 12:18:01 EDT 2010 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexander Clouter
Sent: Monday, March 15, 2010 12:05 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] SMTP

Mohammad Khalil <eng_mssk at hotmail.com> wrote:
> 
> we have a lot of our customers that are uses SMTP servers other than 
> our own server which causes the subnet to be black listed
>
My guess is that you are not cleanly labelling your IP space which means 
the jobs of the people maintaining blacklists have no idea about the IP 
usage of your network.  As they have no information, and I guess you 
might ignore your abuse@ mailbox, you get a /24 listing after repeat 
offences.

You need to give your customers IP space clear and up-to-date reverse 
DNS (PTR) records and where possible detailed WHOIS information on your 
address allocations. This means that when one of your customers is 
blacklisted the maintainer has information available to them to make a 
more targeted listing.  I imagine at the moment your WHOIS space 
probably just says "this /20 is ours", rather than "this /26 belongs to 
company X which makes up part of our /20 allocation"?

You then need to pro-actively monitor (typically blacklisting only 
occurs if you ignore your abuse@ mailbox to be honest) all the main 
blacklists and act when you see a listing and deal with the problem.

> we tried to block them from accessing any other SMTP server except our 
> own server using access lists on our core routers it works fine but is 
> that the optimal solution for that?? is there any other ways to do 
> that ?
> 
It's a solution, however if you are dealing with business customers you 
are only likely to end up annoying them.  Watch of the following 
excellent presentation for hints on how to do things properly:

---

Just a couple of notes:

Hi,

Entities such as Senderbase and UCEPROTECT don't even use WHOIS information so that point is irrelevant. Most people now-a-days don't report SPAM to abuse@ addresses because they're either lazy or assume nobody is listening. We're getting into a 'list first, don't ask questions later' scenario which is very frustrating for service providers.

-Drew

More information about the cisco-nsp mailing list