Yesterday I discovered one of our hosts was in the SCBL. I looked things over, and thought we'd eliminated the source, and requested delisting. But this morning it was listed again, and with some more work I uncovered a compromised user account that was being used to send spam. Killed the processes, and I'm in the process of wiping everything clean, and I've amped up our logging of mail activity on our firewall.
(The ip address is 18.104.22.168)
However, I'm wondering what I can do to ensure I receive reports in the future?
In the past our ISP has forwarded reports as they've received them, with suitably ominous language about "taking it very seriously", but recently they seem to have gotten quite useless at this. We've heard nothing about this most recent block, for example, despite the summary report listing 1695 spamtrap hits. I'm not happy about that, and we're requesting an explanation for why they've not passed anything on.
And as much as I'd love to change colo (not *just* because of this, but it's part of a pattern), that's not a quick process... Our /29 is registered to them, and so I assume that's why we've not seen any reports even though the IP in question in this case reverse maps to our domain name.
Is there a general way of requesting full reports even if the net block is not registered to us? (sorry if this is in the faq's - I couldn't find it) I receive summary reports now, but the full reports would make it much faster for us to track down the exact source.
If there's no general way, is there anyone I can talk to who could help with this? I'm of course happy to provide full details.
Thanks in advance.