Re: Working with Spamhaus

[Stephen Satchell <list () satchell net>]

On 07/28/2015 08:06 PM, Bryan Tong wrote:
> Hello All,
>
> SpamHaus has done us the favor of blacklisting all of our prefixes due to
> the issues with handful of IPs from customers we have removed from our
> network.
>
> They are now being unresponsive on helping us get these listings removed
> and we have a lot of legitimate customers who are no longer able to send
> email.
>
> If anyone has any advice on how to deal with these people. Please let me
> know here or off list.
>
> Thanks!

When I started work for a Web hosting company as a mail admin, the 
company had a number or entries in the various blocking lists, including 
the infamous SPEWS list.  Job one was finding out just which customers 
were causing the listings -- make a list, and check it against 
terminated accounts.  A surprising number of those "dead" accounts were 
still active in one way or another, so I cleaned them up.  (Web hosting 
clients with removed content, but still-active mail accounts.)  I then 
notified each block list know about the terminated accounts, and the 
associated IP address.

Once I finished that task, I started in on the rest of the accounts. 
One account I terminated because they were selling spammer DNA -- I 
personally pulled the plugs on that co-located server.  Quite a number 
of Web sites had exploitable mail-out scripts, so I cleaned them up so 
outsiders couldn't use those sign-up forms to send arbitrary mail.  As I 
worked through the list, I let the block-list owners know what I was 
doing.  I did *not* request de-listing, by the way.  My goal in this 
phase was to show that I was really doing something.  As a consequence, 
several of the BL operators removed the /21 and /19 level blocks.

Oh, did I mention that I got my upstreams to do proper SWIP of the 
address space, and published an abuse@ address for the address ranges?

Some customers were doing bulk mail-outs.  I worked with those customers 
to clean up their mailing lists, to throttle their mails to avoid 
tripping spam alarms, and to properly set up their programs to react 
properly to DNR and spam-reject.  Those that didn't like my clean-up 
campaign were referred to management for further action.

As part of my work, I became active on NANAE, taking advice from many 
people as to how to clean up my space.

One key factor was that I answered every single abuse mail that came in. 
 Every.  single.  one.  The responses were short, describing the 
corrective action I took.  Most of the time, it was yet another open 
mail-out script that needed to be fixed.  But sometimes I got to write 
back "the abuser has been terminiated."

It took about nine months to clean up all the block-list entries.  I was 
also diligent when new entries would pop up -- get the info as to who, 
and take care of the problem.

Management saw the fruit of my labor in the number and quality of new 
accounts.  Big positive.

Notice the parallel between mail operations and network operations. 
Things go MUCH better when we work with each other.   All the DNSBL 
operators want is to know that spam reports will be handled.