Re: Working with Spamhaus

[Suresh Ramasubramanian <ops.lists () gmail com>]

Er - a couple of ways

1. If you run a farm of mail servers, something like splunk for your logs is kind of necessary.  How difficult is it 
going to be to trigger a splunk alert on whatever looks like an administrative block?  Either by a large provider, or 
by a DNS block list.

2. You can rsync spamhaus and grep for mentions of your ASN, get ISP feedback loops etc.

On a larger topic - NANOG and M3AAWG (also RIPE and M3AAWG’s summer meeting in Europe) really ought to collocate or at 
least be back to back in the same city somewhere down the line - maybe with a day’s worth of joint sessions on topics 
of mutual interest (malware detection and mitigation, DDoS filtering .. there’s a lot going on in M3AAWG that’s not 
plain old mail or even messaging)

It still won’t solve the larger problem that a lot of routing and DNS folks won’t find it of interest, but well, over 
the decade ++ I’ve been around M3AAWG I see an ever increasing number of (security focused, mainly) *nog regulars turn 
up there.

—srs

> On 29-Jul-2015, at 10:37 AM, Bob Evans <bob () FiberInternetCenter com> wrote:
>
> I see that point - however, spamhaus has become a haus-hold word these
> days and everyone runs into these issues....its not malware or bots we
> block from a network level blackhole. Yet it is basic network operations
> these days to have to deal with someone complaining about their hacked
> mail server is now fixed yet they cant get mail. We usually tell them the
> quickest way is to address spamhaus to get it removed and in parallel also
> move the mail server to a new IP and change the dns and rDNS to the new
> one. It gets us out of having to help with these RBL issues.
>
> When an RBL sends a notice we jump on it and get it to the
> customer...however, they usually dont send us or the customer anything.