Home / Blogs

Resources for Cleaning Your Network

The first step (but certainly not the last) towards saving the internet from spam, malware, and other abuse is to keep your own network clean.

A friend of CAUCE, who wishes to remain anonymous, offers these tips and resources to help you identify problem traffic emanating from your network, and clean it up. Though primarily written for ISPs, many of the items below should apply equally well to any network owner.

Zero-point: Problems which aren’t identified don’t get fixed. So…

First and foremost, proper identification of the ISP’s IPs in both RIR (APNIC) and rDNS. Along with that, working and properly processed Abuse e-mail contact for APNIC and “abuse@domain” for the generic rDNS primary domain. Correct domain whois goes hand-in-hand.

Then, in no particular order…

Block port 25 on dynamic ranges, as recommended by MAAWG.

Complaint Feedback Loops and other abuse reporting mechanisms: Spamhaus and Word To The Wise both have links to get started on those, and ISPs serious about cleaning up should subscribe all their IP ranges to as many of those FBLs as they can handle. (The best for spam detection would be subscribing to all of them but volume can get quite high so they may wish to pick and choose what fits their needs the best.)

That includes SpamCop, but it’s worth its own mention. Unlike most other FBLs, SpamCop reports spamvertised URLs as well as spam source. Note that it has both direct spam reporting and “Summary” reports which provide IP-by-IP reporting for a subscribed range on an hourly or daily basis.

www.abuse.net can help them direct spam reports to the right place. SpamCop seems to look at Abuse.net, too.

CBL offers rsync of its data within terms of use posted on its website. An ISP with that data can use grepcidr across its IP ranges to identify currently active spam-bot IPs.

Spamhaus PBL provides participating ISPs with CBL’s list bots in the respective ISP’s IP ranges, so that’s another easy way for ISPs to get that same data.

Botnet C&C and malware related IPs identified by the FIRE group can be
found by ASN with http://maliciousnetworks.org/ .

Senderbase.org, Trustedsource.org and Senderscore.org websites all have searchable reputational information which can help an ISP corroborate reports they get with a wider sample of traffic…very useful.

I’m sure there are more such resources, I’d be interested in them and I hope others will chime in, but for an ISP which is already overrun with spam issues, those websites should at least give them grist to start grinding away at the problems. I suspect the more difficult challenge will be to get them to actually back the effort.

Any ideas? Post them in the comments, and maybe our anonymous friend will join in too.

(This article was originally published on CAUCE.org.)

By J.D. Falk, Internet Standards and Governance

Filed Under


some more Carl Byington  –  May 3, 2010 6:48 PM

Take your reverse dns zones, and periodically extract all the names and look them up on Surbl. Be sure to load limit that to avoid hammering the Surbl dns servers, and also use the proper number of name components.

Periodically scan your ip address space on port 25, extract any domain names from the SMTP banner, and look up those names on Surbl. With the same restrictions as above.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix