[NTLUG:Discuss] Trying to block all China/KoreaIPs ingreylisting

. Daniel xdesign at hotmail.com
Wed Jun 13 13:14:10 CDT 2007 

"A Lot"?  Greylisting makes a HUGE difference.  It's very effective.  But 
that's not where it stops.  A lot of crap does get through.  I have seen 
"attacks" come through where the attacker(s) just pushed and pushed and 
pushed sending two, three or more of the same email over and over.  Perhaps 
if I had my greylisting set up to have more than a 0-second retry delay 
that might have helped.  But even at 0, it does a tremendous job.

Mostly what gets through is spam coming from actual mail servers...servers 
that retry.  And a lot of those are coming from or through other countries. 
 

I have already started seeing some positive reaction from the RelayCountry 
thing.  Countries are being identified and stuff.  Nigeria isn't listed in 
my rules yet but they will be... what's the country code for Nigeria?  NI?  
I just had one stopped by spam assassin a little while ago... a 419 scam.  
Spam Assassin stopped it for reasons other than country of origin.

My setup does a pretty decent job but it's far from perfect.


>
>Are you finding that lots of spam is getting through your greylisting?
>
>
>. Daniel wrote:
> > I finally discovered RelayCountryPlugin and have made some attempt at
> > implementation.  We'll see how it goes.
> >
> > It's just a damned frustrating problem and it's easy to be tempted to 
use
> > extreme measures to block spam.
> >
> >> If you do want to completely block these hosts, do you really want to 
do
> >> it in your greylist?
> >>
> >> You probably want to block them directly in sendmail with a dnsbl 
like:
> >>
> >> http://countries.nerd.dk/
> >>
> >> You can also do it in spamassassin:
> >>
> >> http://wiki.apache.org/spamassassin/RelayCountryPlugin
> >>
> >> If you REALLY want to do it in relaydelay, here is a perl script that
> >> will convert your list of ip ranges into octects (like relaydelay
> >> wants).  You'll need Net::CIDR install though.
> >>
> >> #!/usr/bin/perl
> >>
> >> use Net::CIDR ':all';
> >>
> >> while (<>) {
> >>     next if (/^#/);
> >>     my ($s, $e) = split(/[\s-]+/);
> >>     my @list;
> >>     eval {@list = range2cidr("$s-$e")};
> >>     print join("\n", cidr2octets(@list)), "\n" if @list;
> >> }
> >>
> >>
> >> You'd run it something like:
> >> ./block.pl < sinokorea.txt > blacklist.txt
> >>
> >> Of course, I think this is all a really bad idea, but there you go.
> >>
> >> . Daniel wrote:
> >>> I would be happy if I could somehow specify which countries.  I would
> >>> select China, Korea, Brazil, Russia and Romania for starters but I
> > wouldn't
> >>> likely stop there.
> >>>
> >>>> Are you trying to completely block all mail coming from certain
> >>>> countries or only selectively greylist them?
> >>>>
> >>>>
> >>>> . Daniel wrote:
> >>>>> I have the list from the following URL:
> >>>>>
> >>>>> http://www.okean.com/sinokorea.txt
> >>>>>
> >>>>> I can parse just the first field easily enough with:
> >>>>>
> >>>>> cat sinokorea.txt | awk '{ print $1 }'
> >>>>>
> >>>>> The greylist (relaydelay in this case) wants to see block ranges as
> >>>>> incomplete octets if that makes sense.  For example, if I wanted to
> >>> block
> >>>>> 218.232.x.x, I would simply add a block to "218.232"  It is my
> >>>>> understanding that it would take 218.232.0.0 literally and would 
only
> >>> block
> >>>>> that IP address (yes, I know it's not valid).
> >>>>>
> >>>>> I have tried adding " | sed /.0.0.0// " to the previous command 
line
> >>> but I
> >>>>> do not get the results I seek... it doesn't make sense.  I'm 
guessing
> >>> that
> >>>>> expressions in sed for matching have some special meaning when a 
"."
> >>>>> character is used.
> >>>>>
> >>>>> And perhaps I am barking up the wrong tree entirely, but my end
> > purpose
> >>> is
> >>>>> to make entries in my relaydelay blacklist table to block out all 
of
> >>> china,
> >>>>> korea and ultimately any country outside of the US that I care to.
> >>> (The
> >>>>> business I work for has no business need to receive email from
> > outside
> >>> of
> >>>>> the state, let alone outside of the country... so it's presumed to 
be
> >>> spam
> >>>>> when it originates from outside of the USA.)
> >>>>>
> >>>>> Anyone know any special magic incantations to achieve this end?  I
> > had
> >>>>> heard someone mention spamassassin rules that would elevate risk by
> >>> country
> >>>>> of origin, but I cannot find anything on the net to document this
> > yet...
> >>> _________________________________________________________________
> >>> Office ストーリー連載開始。豪華プレゼントあり!
> >>> http://go.microsoft.com/?linkid=6696410
> >>>
> >>>
> >>> _______________________________________________
> >>> http://www.ntlug.org/mailman/listinfo/discuss
> >> _______________________________________________
> >> http://www.ntlug.org/mailman/listinfo/discuss
> >
> > _________________________________________________________________
> > 地球温暖化防止啓発に向けた世界規模コンサート「LIVE EARTH」のサイトがMSN
内に
> > OPEN! http://liveearth.jp.msn.com/
> >
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
>
>_______________________________________________
>http://www.ntlug.org/mailman/listinfo/discuss

_________________________________________________________________
「メッセ meets お仕事」スタート!メッセンジャーページもリニューアルしまし
た。 http://messenger.live.jp/oshigoto/index.htm

More information about the Discuss mailing list