Blog , 19 Apr 2021

Abusix Mail Intelligence – Policy IP List

Steve Freegard,

Sr. Product Owner Abusix Intelligence

Welcome to Part 4 of our series of blog posts dissecting each of the datasets available as part of Abusix Mail Intelligence. This time we’re looking at our Policy IP list.

How the Policy IP List is being built:

This list is 100% automated. I call it our “preemptive” blocklist because it lists every IP that should not be sending emails directly to MX.  

IPs can become infected, compromised, hijacked or rented, or purchased by spammers and utilized immediately. It can take some time for this traffic to be seen by traps so this works to prevent traffic from IPs where we have yet to observe traffic.

It is built by scanning the entire IPv4 space and applying the policy detailed below to each IP address scanned.   

We scan ranges more frequently based on how often they change and to handle newly allocated IP addresses as quickly as possible. We re-test IPs that are being checked via our online lookup service or those seen via our intelligence network.

Removals from this zone are semi-permanent, we don’t relist a removed address until we see the rDNS ( = reverse DNS) change again.

Reasons for being listed & how to avoid getting listed on our Policy IP List:

The policy that we apply to every IPv4 address is the following:

  • An IP address must have rDNS.
  • rDNS must not be ‘templated’ e.g. two or more octets of the IP address must not appear (this can be in hex, decimal etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp* etc.) and should reflect the hostname of the SMTP server.
  • Contiguous ranges of IP addresses must not have the same rDNS.
  • IPs that have port 25, 465 or 587 open are excluded.
  • IPs that are whitelisted are excluded.

If you’re allocated new IP addresses, then simply ensure that it has rDNS configured that reflects the machine hostname and does not contain all or part of the IP address.

The next time that we scan the IP, it will be automatically removed – you can speed this process up by requesting a removal from our blocklists through our lookup service.

Hope that is useful.

Until next time – stay safe.

Steve.

Share
Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Two computer monitors showing AbuseHQ

Start Your Free Trial

Let's protect your mail servers with a reliable blocklist! 14-day free trial! No credit card details needed!

Get started

Products & Tools

Type

Topic

Get in touch

Talk to us

The quickest way to get in touch with the team is via our online chat feature at the bottom right of this page. Alternatively, feel free to email us at [email protected] or send us a message via our form.

Is your IP blocked?
To get that resolved, please use our lookup-service and follow the instructions in order to delist your IP/domain.