I am hoping some of you here have a solution for me. I use the RBL list at spamhaus to block know spam IPs. The only problem is I, my public IP keeps ending up on the spamhaus CBL list.

According to their website the CBL on lists IP address that are infected by a mass mailing virus or something else. Running a hosting company, how do I prevent these from using my IP address, because I certainly can't prevent my users from getting viruses (I even offer free virus software).

I would recommend that you stop using spamhaus.

I do not agree with outright rejecting email based on blacklists that are managed by third parties.

Instead, my SpamAssassin implementation uses those RBL services to add more points towards each message's spam score. I can't see myself outright rejecting mail based on these lists because I need to provide reliable mail services to my client base and these RBL services have itchy trigger fingers and it is a guarantee that they will cause you to reject at least some legitimate email.

Of course if you do find yourself blacklisted anywhere, you should work with whomever it is to get yourself unblacklisted.

I respond to and act upon abuse complaints in a timely manner which means virus/spam relay attacks originating from my customers don't last long and almost never manage to get me blacklisted.

How do you find out about abuse in a timely manner. The only time I find out is when I get blacklisted.

SORBS is a nightmare.

We use Ewall and block blacklisted IPs using Spamhaus and others. Then Whitelist your IP ranges In Ewall.

Set a rule to allow whitelisted IP addresses (which includes your servers)
then stop all other filters

then set another rule to block blacklisted Ips

Works great and has greatly reduced spam. Tried Ewall with paranoid Spam Detector but too many problem here....

Uhh I often find out about abuse by receiving abuse reports.

Make sure your abuse@ and postmaster@ addresses are able to receive mail no matter what. That means excepting them from spam filtering, etc.

You could try and force all smtp to be delivered to your mail server so that outbound can be scanned and controlled. This will catch the virus spam and any other email that will get you listed.

You could try and force all smtp to be delivered to your mail server so that outbound can be scanned and controlled. This will catch the virus spam and any other email that will get you listed.

I am going to try this for a while. If customers use a seperate SMTP I figure they will call me and I can add the specific SMTP to the allow list. Its better then getting phone calls all day from customers who can't send any email.

Thanks...

I am going to try this for a while. If customers use a seperate SMTP I figure they will call me and I can add the specific SMTP to the allow list. Its better then getting phone calls all day from customers who can't send any email.

Thanks...

This is what I did with a similar problem over a year ago, and it fixed it. I have not been on the spam list since.

I moved our mail server to a different public IP than what the users use. Problem solved.

Forgive my ignorance, but in doing as you say here, I'm thinking I add 2 lines into me edge router (staros) firewall looking something like...

allow tcp from 10.x.x.x(my network) to 64.42.240.98(my public mail server) out via $net
deny tcp from any to any 25 out via $net

?

This is what I did with a similar problem over a year ago, and it fixed it. I have not been on the spam list since.

Yes, or you can also use a forward command, forwarding all port 25 to your server. This is what SBC/AT&T used to do, up until recently (may still do it in some areas). We've done it successfully for 2 years now.

If a customer needs to send mail through a separate server they can use port 587 (which has technically been a standard for 10 years now (http://www.ietf.org/rfc/rfc2476.txt), despite a lot of companies still not supporting it for user email submissions), or you can allow certain server IPs before your deny statement.

There are some techniques to avoid your problem. First, use Spamassassin. Second, you can add an Auto whitelist DNS Server for your own users to avoid RBL's. Third, because spam is becoming very hard to stop is recommendable to add any reliable RBL and subscribe to it and actively report the spam that Spamassassin couldn't detect. I personally use SpamCop and they respond fast to remove blacklisted IP's that are demonstrated that are not relays. This is my suggestion. I know that others hate this services(Spamcop,Spamhaus,SORBS(I hate this),etc.), but they are needed.

Another question, what mail server does you use?

K, tks, so my syntax is correct?
I dont have a testing environment, so when its in, its in.

RBL sucks if you think it will stop spam. You need a good spam scanner and force ALL SMTP to go through your mail server. You cannot allow spam to be sent by bots in your system and you need to filter it.

If you rely on RBL you'll soon find you are on it as well. It simply does not work and mostly penalizes real servers who got hit because a customer had a virus.

My way is to just allow my server to send messages, and deny all other connections to destination port 25, but without any redirection. I tell customers thet they have to set their mail clients to send mail to my server because of the possible SPAM, so that leaves unsolicited mail totaly blocked. Nobody complained
so far, they are even pleased.

There are several techniques for stoping SPAM if you redirect all traffic through your servers, google around for some howto's, I found several for postfix I liked.

Here are snips from my fw script:

allow tcp from 192.168.221.x to 71.216.41.x 25 in via $client #legit client mail -add as many as necessary - permits mail through to distant server but only for specified IP's

log tcp from 192.168.0.0/8 to any 25 in via $client #Logs entries
deny tcp from 192.168.9.0/23 to any 25 in via $client #Office Net
deny tcp from 192.168.224.0/24 to any 25 in via $client #SW
deny tcp from 192.168.192.0/19 to any 25 in via $client #Wireless Subs

The logging will help you find legitimate attempts if you want to be proactive. In the early days, I spent an hour or so a day doing traceroutes and adding lines as necessary. It also points out the obvious bot infections.


K, tks, so my syntax is correct?
I dont have a testing environment, so when its in, its in.