policy

IP policy blocklist (dynamic.mail.abusix.zone)

Description

This is our email "Policy” blocklist which aims to list all IP addresses that should not be connecting directly to external SMTP servers, but should instead be using their ISP or mail providers smarthost to relay messages using some form of SMTP authentication.

This list is designed to preemptively list any IP that does not appear to be suitable for use with an SMTP server, this is to catch newly compromised hosts, hijacked IP space etc. immediately without requiring trap hits for listings.

It is built by constantly scanning the entire IPv4 range and applying a policy that states:  

• An IP address MUST have rDNS.
• rDNS must not be 'templated' e.g. two or more octets of the IP address MUST NOT appear (this can be in hex, decimal etc.) within the rDNS label (there are exceptions for static* mail* mx* smtp* etc.) and should reflect the hostname of the SMTP server.
• Contiguous ranges of IP addresses MUST NOT have the same rDNS.

127.0.0.11 is returned for hosts with generic rDNS.

127.0.0.12 is returned for hosts with no rDNS.

Delisting

Anyone can request a delist from this zone and a semi-permanent exception will be created automatically.  Exceptions are only pruned when they are no longer necessary, but in the future we may require that Policy exceptions are revalidated once per year to prevent them from becoming stale.

Note for rsync users

There is also a zone file called "policy.zone" which is now deprecated.  This was a stricter version of the Policy Blacklist which also included hosts which contained "static" within their rDNS labels.   Please check that you are using the correct zone file as "policy.zone" will be removed in the future to save bandwidth and confusion.

Example query:

$ host 2.0.0.127.<key>.dynamic.mail.abusix.zone.
2.0.0.127.<key>.dynamic.mail.abusix.zone has address 127.0.0.11
2.0.0.127.<key>.dynamic.mail.abusix.zone has address 127.0.0.12