Alex wrote: > Do you have a method for collecting them, or is it done manually?
My process isn't specific to a given source. I get anywhere from 50 to several hundred messages reported as spam by customers, daily. After sorting, I feed the messages through https://secure.deepnet.cx/trac/dnsbl/browser/trunk/dnsbl/extract-data (modified slightly for local settings) to grab the IPs, URIs, and a count for each. I go through the resulting IPs by hand to feed them into the web form along with netblock owner data looked up by one-at-a-time WHOIS lookups. Some lookups result in an abuse report instead of adding an IP to the DNSBL. > How do you calculate the netblock, or do you just block the specific > IP or the whole class C? "whois <ip>". Sometimes I have to do "whois </24 that the IP is in>" to find the upstream allocation(s). Fair warning - even at the relatively low volume of lookups I do, I've seem indications that some providers' rWHOIS servers will ignore requests after a ridiculously low threshold. > Have you included those which are on the Spamhaus block list? > http://www.spamhaus.org/drop/drop.txt I haven't paid much attention to that; it's likely in use by our backbone providers and our NOC may have added it to our core router configurations as well. The IPs there are in the Spamhaus ZEN list anyway (which we reject on), so they won't generally get through to where I'll see them. > Thanks for the work on your DNSBL. Definitely have to implement that. > Perhaps I'll just start with blocking outright at the SMTP level. I'd strongly advise against using my utility to generate DNSBL data to block connections out of the box; you would run into far too much collateral damage. However, when scored in SA it squeezes repeat offenders harder and harder the more different IPs they use in their leaf allocations. I *do* actually see noticeable shifts in the spam reports occasionally as netblocks get flagged. -kgd
