I'm curious about how often other sysadmins review their allow/block lists, especially regarding compromised external mailboxes. Usually, when we encounter a compromised mailbox, we add it to the block list with an indefinite expiration. Is that common practice, or do others have different strategies for managing these situations? If you do review your list, how frequently do you do it?
5 Answers
We usually block the entire domain until we get a written confirmation from the IT team of the sending organization that the threat has been dealt with. There was even one vendor we had to quarantine for almost a year because their DMARC was misconfigured, even though their SPF and DKIM were fine. It’s a cautious game we play with these threats!
I never tend to review them. If I get confirmation from the blocked domain that everything's cleared up, I’ll remove them. No need for regular reviews in my opinion.
I block any mailbox until I get confirmation that the problem is fixed. If I never hear back, it stays on the block list, which does lead to some confused users months later asking about emails from clients getting blocked. It's definitely a balancing act!
I stick to only allowing list email addresses that are used for critical notifications. A block gets lifted only after I hear directly from the sender that the issue is resolved. As for random spammers, once they're blocked, they stay blocked forever!
For us, once we get reports of phishing, we block the domain indefinitely. If users report spam, that's an automatic block, and we don’t revisit it unless we hear otherwise from the source. Better safe than sorry!
Totally agree! It’s always a challenge dealing with user complaints after long blocks.