...

This is the overall list of IPs blocked; with breakdowns sorted by date in the comments: 

**The list-bombing alert email is sent by Momentum 4. This process will no longer apply if/when that server is decommissioned, and clients will need to be responsible for protecting their forms and lists with Captcha and confirmed opt-in.

...

How to Block IPs reported in the List Bombing email:

1. Open the List Bombing email

2. Look over the data provided for any red flags (see criteria below) and note any potential problem IPs 

3. Click through all of the CleanTalk, StopForumSpam, and Project Honeypot links provided (even if the email says "Not blacklisted," it's possible the IP has been listed in the time between the alert and your response)

4. Make a list of all of the IPs that have been reported as spam or other malicious behavior on any of the three sites - these IPs must all be blocked and documented

5. Verify whether any of the potential problem IPs from Step 2 need to be added to the block list by confirming spam report status or suspicious data

6. Use Postman to block each IP address from adding new addresses to SignupApp2 (SUA2)

   1. You will need access to the SUA2 environment, if you don't have correct permissions submit a ticket to IT

   2. use SUA Endpoints > Exclusions > Add blacklisted IP code

   3. Paste the IP address into the bar where highlighted

   4. Click "Send"
      

      Image RemovedImage Added

      
      
      

   5. Verify 200 OK response

      1. You should see this: 
         

         Image RemovedImage Added

      2. If you see this, the IP has already been blocked (you probably duplicated it in your list by accident, eg noted the IP at first and copied again where it was blacklisted)
         

         Image RemovedImage Added

   6. Repeat these steps for all IPs
      

7. Document the IPs you've blocked. *Note, for the time being that process is being handled on this DLV ticket: 

   Jira Legacy
   server agora publishingSystem JIRA serverId af0addc4235c5e66-7667ba38-373334da-8fe38e9f-a9af723b162a4e0fc8afad71 key DLV-3174

   1. Paste the list of blocked IPs into a comment, so there's a timestamp for those IPs
      Paste the list of blocked IPs into the master blocklist in the body of the ticket
      
      

...

Criteria for blocking an IP address:

• Blacklisted on any of the blacklists in the "Possible IP List Bombing" email; OR

• A combination of the following:

  1. High spam rate on Cleantalk – anything above 2-3% should raise a red flag.

  2. IP is located in problematic regions (ie, SE Asia, Philippines, China, Russia, Eastern Europe)

  3. High discrepancy between unique email addresses and unique signups/attemptsApparent but unmarked bulk uploads in SUA2 (eg, dozens of signups within a second, patterns in uploads, etc)

The following addresses have been positively ID'd as legit sources of signups (to be whitelisted):

• 54.224.244.168 - vendor

• 161.47.117.248 - vendor

• 104.196.168.51 - FTM / Australia

• 35.189.61.7 - PPP / Australia

• 34.206.153.163 - investmentu

• 162.242.156.206 - zapier / agora financial

• 144.202.62.164 - oxf + mmp vendor

• 144.202.56.90 - mmp vendor

• 54.241.34.25 - AF vendor Unbounce

• 50.19.99.184 - AF vendor Unbounce

...

• 3.220.115.188 - Zapier

• 3.220.22.251 - Zapier

• 52.1.205.184 - Zapier

• 52.6.229.193 - Zapier

• 52.6.82.82 - Zapier

• 54.85.112.125 - Zapier

...

Further reading on List Bombing:

• Word to the Wise: Subscription Bombing, ESPs, and Spamhaus: 
  https://wordtothewise.com/2016/08/subscription-bombing-esps-spamhaus/

• Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs:
  https://www.spamhaus.org/news/article/734/
  

• Mailing Lists -vs- Spam Lists:
  https://www.spamhaus.org/whitepapers/mailinglists/
  

• Confirmed Opt In - A Rose by Any Name:
  https://www.spamhaus.org/news/article/635
  

• Spamhaus Marketing FAQ:
  https://www.spamhaus.org/faq/section/Marketing%20FAQs

...

• /wiki/spaces/MGS/pages/39953056478
  

• https://jira.14west.us/browse/DLV-3174

...

...