[NTLUG:Discuss] Trying to block all China/KoreaIPs ingreylisting

Leroy Tennison leroy_tennison at prodigy.net
Wed Jun 13 22:19:54 CDT 2007


. Daniel wrote:
> "A Lot"?  Greylisting makes a HUGE difference.  It's very effective.  But 
> that's not where it stops.  A lot of crap does get through.  I have seen 
> "attacks" come through where the attacker(s) just pushed and pushed and 
> pushed sending two, three or more of the same email over and over.  Perhaps 
> if I had my greylisting set up to have more than a 0-second retry delay 
> that might have helped.  But even at 0, it does a tremendous job.
>
> Mostly what gets through is spam coming from actual mail servers...servers 
> that retry.  And a lot of those are coming from or through other countries. 
>  
>
> I have already started seeing some positive reaction from the RelayCountry 
> thing.  Countries are being identified and stuff.  Nigeria isn't listed in 
> my rules yet but they will be... what's the country code for Nigeria?  NI?  
> I just had one stopped by spam assassin a little while ago... a 419 scam.  
> Spam Assassin stopped it for reasons other than country of origin.
>
> My setup does a pretty decent job but it's far from perfect.
>
>
>   
>> Are you finding that lots of spam is getting through your greylisting?
>>
>>
>> . Daniel wrote:
>>     
>>> I finally discovered RelayCountryPlugin and have made some attempt at
>>> implementation.  We'll see how it goes.
>>>
>>> It's just a damned frustrating problem and it's easy to be tempted to 
>>>       
> use
>   
>>> extreme measures to block spam.
>>>
>>>       
>>>> If you do want to completely block these hosts, do you really want to 
>>>>         
> do
>   
>>>> it in your greylist?
>>>>
>>>> You probably want to block them directly in sendmail with a dnsbl 
>>>>         
> like:
>   
>>>> http://countries.nerd.dk/
>>>>
>>>> You can also do it in spamassassin:
>>>>
>>>> http://wiki.apache.org/spamassassin/RelayCountryPlugin
>>>>
>>>> If you REALLY want to do it in relaydelay, here is a perl script that
>>>> will convert your list of ip ranges into octects (like relaydelay
>>>> wants).  You'll need Net::CIDR install though.
>>>>
>>>> #!/usr/bin/perl
>>>>
>>>> use Net::CIDR ':all';
>>>>
>>>> while (<>) {
>>>>     next if (/^#/);
>>>>     my ($s, $e) = split(/[\s-]+/);
>>>>     my @list;
>>>>     eval {@list = range2cidr("$s-$e")};
>>>>     print join("\n", cidr2octets(@list)), "\n" if @list;
>>>> }
>>>>
>>>>
>>>> You'd run it something like:
>>>> ./block.pl < sinokorea.txt > blacklist.txt
>>>>
>>>> Of course, I think this is all a really bad idea, but there you go.
>>>>
>>>> . Daniel wrote:
>>>>         
>>>>> I would be happy if I could somehow specify which countries.  I would
>>>>> select China, Korea, Brazil, Russia and Romania for starters but I
>>>>>           
>>> wouldn't
>>>       
>>>>> likely stop there.
>>>>>
>>>>>           
>>>>>> Are you trying to completely block all mail coming from certain
>>>>>> countries or only selectively greylist them?
>>>>>>
>>>>>>
>>>>>> . Daniel wrote:
>>>>>>             
>>>>>>> I have the list from the following URL:
>>>>>>>
>>>>>>> http://www.okean.com/sinokorea.txt
>>>>>>>
>>>>>>> I can parse just the first field easily enough with:
>>>>>>>
>>>>>>> cat sinokorea.txt | awk '{ print $1 }'
>>>>>>>
>>>>>>> The greylist (relaydelay in this case) wants to see block ranges as
>>>>>>> incomplete octets if that makes sense.  For example, if I wanted to
>>>>>>>               
>>>>> block
>>>>>           
>>>>>>> 218.232.x.x, I would simply add a block to "218.232"  It is my
>>>>>>> understanding that it would take 218.232.0.0 literally and would 
>>>>>>>               
> only
>   
>>>>> block
>>>>>           
>>>>>>> that IP address (yes, I know it's not valid).
>>>>>>>
>>>>>>> I have tried adding " | sed /.0.0.0// " to the previous command 
>>>>>>>               
> line
>   
>>>>> but I
>>>>>           
>>>>>>> do not get the results I seek... it doesn't make sense.  I'm 
>>>>>>>               
> guessing
>   
>>>>> that
>>>>>           
>>>>>>> expressions in sed for matching have some special meaning when a 
>>>>>>>               
> "."
>   
>>>>>>> character is used.
>>>>>>>
>>>>>>> And perhaps I am barking up the wrong tree entirely, but my end
>>>>>>>               
>>> purpose
>>>       
>>>>> is
>>>>>           
>>>>>>> to make entries in my relaydelay blacklist table to block out all 
>>>>>>>               
> of
>   
>>>>> china,
>>>>>           
>>>>>>> korea and ultimately any country outside of the US that I care to.
>>>>>>>               
>>>>> (The
>>>>>           
>>>>>>> business I work for has no business need to receive email from
>>>>>>>               
>>> outside
>>>       
>>>>> of
>>>>>           
>>>>>>> the state, let alone outside of the country... so it's presumed to 
>>>>>>>               
> be
>   
>>>>> spam
>>>>>           
>>>>>>> when it originates from outside of the USA.)
>>>>>>>
>>>>>>> Anyone know any special magic incantations to achieve this end?  I
>>>>>>>               
>>> had
>>>       
>>>>>>> heard someone mention spamassassin rules that would elevate risk by
>>>>>>>               
>>>>> country
>>>>>           
>>>>>>> of origin, but I cannot find anything on the net to document this
>>>>>>>               
>>> yet...
>>>       
>>>>> _________________________________________________________________
>>>>> Office ストーリー連載開始。豪華プレゼントあり!
>>>>> http://go.microsoft.com/?linkid=6696410
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> http://www.ntlug.org/mailman/listinfo/discuss
>>>>>           
>>>> _______________________________________________
>>>> http://www.ntlug.org/mailman/listinfo/discuss
>>>>         
>>> _________________________________________________________________
>>> 地球温暖化防止啓発に向けた世界規模コンサート「LIVE EARTH」のサイトがMSN
>>>       
> 内に
>   
>>> OPEN! http://liveearth.jp.msn.com/
>>>
>>>
>>> _______________________________________________
>>> http://www.ntlug.org/mailman/listinfo/discuss
>>>       
>> _______________________________________________
>> http://www.ntlug.org/mailman/listinfo/discuss
>>     
>
> _________________________________________________________________
> 「メッセ meets お仕事」スタート!メッセンジャーページもリニューアルしまし
> た。 http://messenger.live.jp/oshigoto/index.htm 
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
>   
I can understand your wanting "perfect" but don't promise that to
anyone, it's not going to happen.



More information about the Discuss mailing list