Welcome to Part 4 of our series of blog posts dissecting each of the datasets available as part of Abusix Mail Intelligence. This time we’re looking at our Policy IP list.
How the Policy IP List is being built:
This list is 100% automated. I call it our “preemptive” blocklist because it lists every IP that should not be sending emails directly to MX.
IPs can become infected, compromised, hijacked or rented, or purchased by spammers and utilized immediately. It can take some time for this traffic to be seen by traps so this works to prevent traffic from IPs where we have yet to observe traffic.
It is built by scanning the entire IPv4 space and applying the policy detailed below to each IP address scanned.
We scan ranges more frequently based on how often they change and to handle newly allocated IP addresses as quickly as possible. We re-test IPs that are being checked via our online lookup service or those seen via our intelligence network.
Removals from this zone are semi-permanent, we don’t relist a removed address until we see the rDNS ( = reverse DNS) change again.
Reasons for being listed & how to avoid getting listed on our Policy IP List:
The policy that we apply to every IPv4 address is the following:
- rDNS must not be ‘templated’ e.g. two or more octets of the IP address must not appear (this can be in hex, decimal etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp* etc.) and should reflect the hostname of the SMTP server.
- IPs that have port 25, 465 or 587 open are excluded.
- IPs that are whitelisted are excluded.
If you’re allocated new IP addresses, then simply ensure that it has rDNS configured that reflects the machine hostname and does not contain all or part of the IP address.
The next time that we scan the IP, it will be automatically removed – you can speed this process up by requesting a removal from our blocklists through our lookup service.
Hope that is useful.
Until next time – stay safe.
Steve.