I manage a spam filter for the organization I work for. I've been trying to get the others here to stop white listing by domain name since that can be easily spoofed. One of the obstacles, however, is that there doesn't seem to be an easy way to determine the legitimate outgoing SMTP server IP for these domains. Currently, the best we can do is to find a legitimate message from one of the domains in question (cnn.com for example) then search the spam filter's message log for the first two or three octets of the validated IP address. The end result can be exported to a CSV file and then we determine if we should do individual IPs or a network. In the case of cnn.com, we had to do the network since there were 50 hosts in the 31-129 range (last octet).

Just "cold calling" places like CNN and saying, "Hey can you give me a list of the IP addresses for all of your outgoing mail servers" is not likely to get to warm a reception. And if I am going to convince my co-workers that whitelisting domains, while easy, is not the best approach... I need something that's almost as easy. Since it's possible to do a 'whois -h arin.whois.net <some ip address> and get the owner and full network range list, I was wondering if there is some way of using 'whois' with the domain name to get the full network? That would be much better than what I'm doing now which is kind of hit or miss. I looked at the 'whois' man page but there really didn't seem to be much there about doing a recursive query.

I have a feeling that answer will be that I will just need to go through the message log and try and snag whatever info I can, but I'm hoping someone out there might have a better way. Because there's ALWAYS a better way to do something.