Sharma, Ashish put forth on 11/16/2009 6:23 AM: > How were you able to identify that a particular IP/IP's are the source of > spam attack on your mail server?
A trap and a Mark I eyeball, Senderbase reputation data, examining rDNS within a netblock, etc. > After identifying that a particular IP/IP's is the source of attack how were > you able to update your local block lists automatically? I don't update my block lists automatically, but manually, see above. Local block lists are not a substitute for dnsbls, but an additional tool used to kill spam sources that aren't listed (yet) by the dnsbls. Very few dnsbls catch snowshoe spammers because they rely on volume trap data from individual IPs. The snowshoe method was invented specifically to bypass dnsbls. Spamhaus now has a list specifically targeting dnsbls, and Invaluement has a paid dnsbl that is very effective at catching snowshoe. The Spamhaus snowshoe list is very new. > For how long did you maintain the IP/IP's record in your local block lists > and refreshed them? Permanently in almost all cases. Dealing with scorched earth netblocks is the ISP's responsibility, not mine. They create the mess by knowingly assigning spammers to their /24s, /20s, etc, so it's up to them to clean it up. Again, local lists aren't a substitute for dnsbls, so there is no reason to 'refresh' or 'expire' listings in a local block list, as far as I'm concerned. I do very thorough analysis before adding a netblock, and I'm adding maybe only a couple of small ranges a week. Think of local block lists as an extremely focused/targeted tool used to kill spam sources that aren't yet in the dnsbls or likely won't be listed by dnsbls. Use them to "pick up the slack" so to speak. Hope this helps. Also, you may wish to join spam-l.com to learn more about various methods used in fighting spam. -- Stan
