Something that is working came about because spammers ignore published procedure. Let me explain that, an email gets sent based on what the DNS records say about the domain name in question. If I have example.com then I may want to have a website that people can find either at example.com or www.example.com. We do that by creating a blank "A" host record and another for www thus creating the desired prefixes.
Email servers can be setup for a domain by creating "MX" records in the DNS and set the priority value for each. One basic system is to have 2 public IP addresses and create an MX record for each but give one a priority value of say 1, and the other a value of 2. The physical email server that is on the IP address corresponding to priority 1 will be the first recipient of domain emails. Only when sending servers find that server & IP address to be unreachable or busy will emails start to be tried at the second server & IP address corresponding to priority value 2. In this way you have published your preference of how sending email servers should attempt to deliver emails to your domain.
What I have found is that spammers send their spam to all MX IP addresses and the root "A" record IP address in addition. Taking the above example you would have a web server on one IP address and 2 email servers on another 2 different IP addresses making 3 external or public IP addresses in total. You expect web traffic to go the www IP address, and the majority of your emails to go MX1, with MX2 acting as backup or failover.
Nice idea but spammers don't follow your preferences since they are only interested in successful delivery. They will attempt to deliver spam to all 3 IP addresses and if your web server should have an email server program listening on port TCP 25, it will receive connections from spam sending bot infested computers etc.
My tip is to separate the traffic by design. Staying with the above simple setup, MX1 is the primary email server on one IP address and MX2 is the secondary. Your web server is on a 3rd IP address and does not handle inbound email therefore it does not have a MX record. That means that it should never receive email and depending on web server traffic, you could choose to have the web server handling outbound emails from the website and / or authorized domain users. It may be that due to high traffic levels you dedicate a 4th server to outbound emails and give it a different IP address to the above. The point is that inbound emails should only ever arrive for delivery at MX 1 or if busy, then MX2.
These days email Administrators must use a whitelist of trusted email server IP addresses. There are some very good databases online and I intend to cover that topic shortly for anyone still unaware or unsure but it is essential in order to avoid false positives. Setup your email server to check the connecting IP address against your whitelist and accept for delivery from all that are listed.
Any IP address that has a server connecting to your server and is not on that whitelist is unknown to you and therefore untrusted. The public whitelists have come about by Administrators sharing their trusted IP address details so if an IP address is not listed there, that means a lot of network Administrators do not trust the IP address either!
Starting with MX1, your primary email server, set that to accept all inbound email even if it comes from IP addresses that are not listed in the whitelist. Now have the email server check the IP address against the L2.APEWS.ORG either in realtime at the online database or your local copy that you obtained via RSYNC (another topic for the near future). If your server finds the connecting IP address to be listed at L2.APEWS.ORG, have the email program create a X-Header which can later be used in filtering. Your server then accepts the email for delivery and transfers all thsuch emails with the X-Header to the recipient's Spam or Junk folder.
You can configure your secondary email server MX2 in exactly the same way if you want to, or if the primary server MX1 is handling the majority of emails, you can set this one to reject emails from IP addresses that are listed in L2.APEWS.ORG. Your outbound email server and web server too, if it has an email program running, should be set to reject inbound emails that come from APEWS.ORG listed IP address space. You will only get a false positive if your whitelist is inadequate, remember that the EWS in APEWS stands for "early warning system". I intend to publish here the false positives that we get in the hope of them being delisted by the APEWS.ORG Administrators which helps everyone, more folks should do the same.
The above is currently working on several commercial servers with excellent results. Due to the whitelist on each email server followed by APEWS, 99% of spam is correctly identified. Spammers are getting the 550 error message (which they always ignore) but more importantly, failed delivery. These results are before any after-receipt filters or client side filters.
Do not put Yahoo, Hotmail, Gmail, and the other web-based email servers in your whitelist as we have found that they get used for list washing and can overwhelm your servers. You will find that APEWS.ORG do not have them listed either so you won't lose any emails from their senders. I recommend an alias list that handles mis-spelled email addresses by routing common errors to the correct user email address, and then reject all emails for unknown user names / email addresses. It's all about reputation now, trusted senders are more easily documented as they are so few.
Dear Apews.org
ReplyDeleteI am a forum owner hosted by Godaddy.com, and our website and our website ip is listet at apews.org!
Else its clean everywhere..
I had problems finding out where to write you guys a message, I trully hope you can send my a reply about why I our forum is listet at "apews.org" ........Thank u so much in advance!
This blog is directed at users of the APEWS blacklist as an antispam measure and for users to publish errors. An APEWS user can publish the full email header as we have done here, showing that your IP address is, in their opinion, wrongly listed. The APEWS Administrators may decide to take action or not based on their own data and experience.
Deletedear admin Apews.org,
ReplyDeletei'm network engineer on one of the ISP in malaysia. i'm really need to de-blacklist one of my customer ip. i can't see any admin email that i can report to de-blacklist the ip. i hope by using this forum/blog, i will will get the response as soon as possible. below is the result appears after check the ip in lookup domain boxes:
Oooops 202.46.112.7 is currently listed in APEWS :-(
Entry matching your Query: E-304363
202.46.112.0/20
---------------------------------
CASE: C-1375
Spambots/zombies within CIDR
---------------------------------
Special Reason:
Only the ASN/CIDR owner can solve this listing by actioning FAQ 42 apews.org SHUTDOWN BOTS, ZOMBIES, NET ABUSE
---------------------------------
History:
Entry created 2007-09-26
Hello,
ReplyDeleteI have 2 block C IPs, they are 120.89.92.0/23 and all of our IPs blacklisted by APEWS:
http://www.apews.org/?page=test&C=18&E=464994&ip=120.89.93.3
http://www.apews.org/?page=test&C=18&E=464994&ip=120.89.92.47
etc...
But those ip is not blocked by any RBL/XBL and clean.
Can you please check it ?
Thank you
Hello,
ReplyDeleteI work for a small ISP in the USA. We have an IP range the has been blocked on your list. It may have been used for spam in the past but that customer is no longer with us because of such spam. It has been 6 months or more now since the IP has been RE-Swip'd to a new customer. This customer is upset their IP range is still on your list.
Entry matching your Query: E-469136
205.251.0.0/17
CASE: C-22
Dynamic IP space, generic DNS/rDNS, no PTR
Direct connections to MX not permitted, you
need to use your ISP servers or smarthost
History:
Entry created 2011-04-16
The netblock is 205.251.79.128/27
The user has proper PTR records and all of out IPs are statically allocated to our customers.
Many Thanks
Hello,
ReplyDeleteI am an employee of an organization named sustainability support services with org numbr.5567576367, we had couple of issues previously with static IP so we cancelled it and asked for a new static IP and we got the new one couple of days back and even the new Static IP (83.180.131.61) provided was under blacklist, i kindly request you to remove the blacklist thing from the domains because of this we are not able to receive emails and getting spam and most of our important works are under pending due to this. Thank you.
Hello,
ReplyDeletemy ip is 203.189.137.32 and domain is mail.allweb.com.kh, now was blocked by apews.org.
Please help me to unblock.
thanks you so much.
Hello,
ReplyDeleteMy Ip is 86.125.52.190, domain mail.mairon-tubes.ro, now was blocked by apews.org. Problem persist since yesterday, until then it was OK, and now I saw that the reason is based on 2010 entry !!!
Please help me to delist.
Thanks.
Florin
Oooops 86.125.52.190 is currently listed in APEWS :-(
Entry matching your Query: E-438646
86.125.0.0/18CASE: C-17
Spambots, zombies, contaminated CIDR, bad reputation providerHistory:
Entry created 2010-12-20
Good afternoon. We can't send you mail. please unblock us @arustel.ru (ip 82.198.182.78)
ReplyDeleteBuenas tardes ayúdeme eliminando mi IP de su lista negra 181.198.19.210 el dominio mail.imar-ec.com
ReplyDeleteOooops 181.198.19.210 is currently listed in APEWS :-(
ReplyDeleteEntry matching your Query: E-180024
181.0.0.0/8
CASE: C-1404
IP allocations to providers with a bad reputation
Special Reason:
No traffic until allocated
Oooops 181.198.19.210 is currently listed in APEWS :-(
ReplyDeleteEntry matching your Query: E-180024
181.0.0.0/8
CASE: C-1404
IP allocations to providers with a bad reputation
Special Reason:
No traffic until allocated
Hi, Please un-block my IP 209.190.226.228 from APEWS (bl.csma.biz).
ReplyDeleteHello,
ReplyDeletePlease help us and unblock our IP (180.211.112.67).
Buenos días; por favor necesitamos nos pueda remover de la lista APEWS; el IP es el 190.223.54.186.
ReplyDeleteNice post,Thank you for sharing such a informative post.
ReplyDelete