Patrick,
Obviously Italy and Germany are not too much exotic, according to my location, but it might be for people in Thailand... :-)*
*To get you started quickly:*
4) Loopback*
AOL http://postmaster.info.aol.com/
MSN/Hotmail http://postmaster.msn.com/Services.aspx#SenderSolutions
Yahoo http://feedbackloop.yahoo.net/
Verizon http://www2.verizon.net/micro/whitelist/request_form.asp?id=isp
*8) Follow up reputation lists*
Fortinet http://www.fortiguard.com/antispam/antispam.html#spamlookup
BarracudaCentral http://www.barracudacentral.org/lookups
Cisco/Ironport http://www.senderbase.org/
Spamcop http://spamcop.net/bl.shtml
Spamhaus BL http://www.spamhaus.org/lookup.lasso
Your main issue is to avoid as much as possible to send spam but most of all, make sure that you do not get blacklisted, then playing with IPs and routing each ISP thru a different IP will allow you to quickly fix this, if each IP has a proper record. When a spam occur and you get a feedback or find the origin, you simply route it thru the IP of the other ISP and thus what is blacklisted at Gmail won't be at Hotmail or Yahoo and you just rotate them. It only makes sense to do it after you have found the root cause and fixed it :-)
Gregory
2010/6/23 Patrick Studer p.studer@x-netconsulting.ch
Hi Gregory
Thanks for your advice.
Since we don’t want sent mass of mails (excepted some newsletter with about 50-100 addresses, which
I will not declare as mass mails), the first 3 points are perhaps overkill for us.
I’ll check for.
This are setup correct
Since the spammer didn’t reconnect from the same ip, this would not
help. The
spammer connected every time from an other ip and just sent out a few(20-30) mails, that
looks almost normal to the mail server.6 II) We will check, if we can implement something like this, which will sent an alert to us.
- As Rainer has written, I also think, that the password has been stolen
or be track by
some kind of Trojan. So, strong password will note help here.
- What do you mean, when you say Follow-up the other reputation
systems???
- Since this only happen one time for some years, I prefer something like
6 II)
Blocking Port 25 would be that fine. Our customer have contact over the whole world, so blocking
Port 25 would be a solution. And some of the connection was coming from Italy or Germany, that
will even not help (IMHO this aren’t exotic countries ;-).
Kind Regards
Parick
*Von:* Gregory Agerba [mailto:gregory.agerba@gmail.com] *Gesendet:* Mittwoch, 23. Juni 2010 16:51
*An:* Patrick Studer *Cc:* swinog@swinog.ch *Betreff:* Re: [swinog] IronPort E-Mail Reputation
Hi Patrick,
From my past experience delivering very often very big newsletters...
Some advices to deliver mass of mails:
- Distribute your email out of 4-5 virtual interfaces (like Exim would let
you do) and rotate them every x hours or/and randomly. 2) Use different domain names not only FQDNs (this is what mailchimp.comdoes to distribute their millions of emails). 3) Use specific IPs for specific large domains, like Gmail, Yahoo, Hotmail and rotate them every once in a while. 4) Sign-up for loopback feed and monitor the complaint box constantly. Yahoo and such big got that for free. 5) Ensure you have proper RDNS, SPF and DKIM setup. 6) Use iptablesand custom rulesets to block above a certain amount of SMTP connections per host on port 25/587. 6) Count your outgoing average email you send a day/ per hour, put some cron that grep/cat/wc the logs, with threshold that triggers alarms. 7) Educate your users for strong passwords. 8) Follow-up the other reputation systems like Cisco, Barracuda, Fortinet, etc.. 9) Use dedicated IP for strange or doubtful clients. 10) Mind shared IPs.
You can also block port 25 from exotic countries that you do not expect to send you emails, but they are a liability and its quite mean.
Gregory
2010/6/23 Patrick Studer p.studer@x-netconsulting.ch
Hi Mickey
That is what we already thinking about, to implement a second server on a different ip. At the other
hand, I don’t think that’s way I want to go.
Since this is the first time within some years, I will check, if there is an other way to solve this issue.
Kind Regards
Patrick Studer
X-NetConsulting GmbH Internet http://www.x-netconsulting.ch
Grosspeterstrasse 21 E-Mail p.studer@x-netconsulting.ch
CH-4052 Basel Telefon +41 61 315 85 55
Schweiz Fax +41 61 315 85 59
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog