You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by tb...@txbweb.de on 2019/08/24 18:27:03 UTC
How to block mails from unknown ip addresses?
Hello,
I would like to block mails from ip addresses that cant be found. There
is a tricky spam serie getting a low score. Currently I can block the
mails just be scoring the tdl.
I use the RelayCountry Plugin, but it dosnt work if the ip address is
not available.
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country
codes)/
describe RELAYCOUNTRY_BAD Relayed through spam country at some
point
score RELAYCOUNTRY_BAD 3.5
Here some infos of an header examples
X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31
tests=[AM.WBL=7,
BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail;
d=strapdebut.pro;
h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type;
i=nonsense@strapdebut.pro;
bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2
HOR8Zr3N45GuMa5iHdc=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail;
d=strapdebut.pro;
b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1
SmcUvgGYccNp65I07nQ=;
From: " Carol Yates" <no...@strapdebut.pro>
Date: Sat, 24 Aug 2019 12:48:11 -0500
MIME-Version: 1.0
Subject: ACs are going to be extinct after this discovery
Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM
{RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5]
<no...@strapdebut.pro> -> <us...@domain>, quarantine:
N/spam-NHIkGYse9Osv.gz, Message-ID:
<AE...@strapdebut.pro>,
mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms
# geoiplookup 45.141.151.5
GeoIP Country Edition: IP Address not found
GeoIP City Edition, Rev 1: IP Address not found
GeoIP ASNum Edition: IP Address not found
None of the mails is listed at hostkarma.junkemailfilter.com. I also use
junkemailfilter to score spam.
Thanks for any help!
Thomas Barth
Re: How to block mails from unknown ip addresses?
Posted by tb...@txbweb.de.
Am 2019-08-25 00:12, schrieb Benny Pedersen:
>>
>> header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of
>> country codes)/
>> describe RELAYCOUNTRY_BAD Relayed through spam country at some
>> point
>> score RELAYCOUNTRY_BAD 3.5
>
> correct rulee, but geoip is not working in your install
Hello,
geoip is working if geoiplookup has a valid country. Here an result when
the ip adresse can be found (RELAYCOUNTRY_BAD=3.5 in the test list).
---
X-Spam-Status: Yes, score=15.393 tag=2 tag2=6.31 kill=6.31
tests=[AM.WBL=7,
BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
FSL_BULK_SIG=1.596, HTML_EMBEDS=0.001, HTML_MESSAGE=0.001,
PYZOR_CHECK=1.392, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=3.5,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01,
URIBL_RED=0.001] autolearn=no autolearn_force=no
---
The turkey spammer uses a DKIM-Signatures for earch dirty domain and
changes the ip adresses.
---
Received: from habitmarsh.pro (unknown [185.81.154.251])
by mx2.level5.de (Postfix) with ESMTP
for <cs...@level5.de>; Sat, 24 Aug 2019 14:46:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail;
d=habitmarsh.pro;
h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type;
i=restless@habitmarsh.pro;
bh=2t5Wf+4FfcbFXk3qlpUtl7hNcLY=;
b=BYPTXPtYMghNg+QpgG9WEYjd2FPjtRVS7rAfCCPt4hO6v7Fzo2ZK5YWiOBWtXPXKWFb9X6u7OQ8G
Db9pXFfiYN+p76hpn/dPWLCH8G3kuJakwjthtuBG85wzytnelGph79TzqTXZGylltHv3JQOoPJca
NHrcpHXgh+sVKHit2yw=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail;
d=habitmarsh.pro;
b=dYV5l2FhyapgbC8/s1SXbQacaxUiqlIWFCNDtBvzfV2E9+7wS61Ppqxufk1tZyYgVRLnj+1wrzZC
NKFQfvNL7TVSgk8u14S8ptc4q0tfE+uQ886w9ZuxOHQ+7jOasm+AW84BJm6fI3n7jEPL1xZC2bqx
wJOICRNUrJ+k9XVHhag=;
From: " Timothy Long" <re...@habitmarsh.pro>
Date: Sat, 24 Aug 2019 07:42:21 -0500
MIME-Version: 1.0
Subject: Boost your internet with this without upgrading your plan
---
Re: How to block mails from unknown ip addresses?
Posted by RW <rw...@googlemail.com>.
On Sun, 25 Aug 2019 00:12:20 +0200
Benny Pedersen wrote:
> > None of the mails is listed at hostkarma.junkemailfilter.com. I also
> > use junkemailfilter to score spam.
>
> unmaintained now
I wasn't aware of that, but I see Marc Perkel died in August 2018.
Re: HostKarma status (was Re: How to block mails from unknown ip
addresses?)
Posted by Benny Pedersen <me...@junc.eu>.
Rob McEwen skrev den 2019-08-25 04:59:
> Not true. It is under _different_ management now. They are struggling
> a little because of the large learning curve of abruptly stepping into
> someone else's shoes on short notice, with lots of proprietary
> code/processes. Some months ago, I talked to the main tech person over
> there and he is a smart/good guy who is making MUCH progress. So it
> looks like HostKarma is going to survive for the long term.
i writed to make a point, if mainainers of the site prepere to be back i
would love to see it, just that using data that are old is not always
prefered to use, we all gone die one day, and that day none will know me
anyway :=)
can i provide abuse data to new site owners that still remains anon
member here ?
1400 ipv4 addresses blocked here for trying sasl auth on port 25, maybe
i extend it to postscreen data, if thats postfix that is configured
badly i like to help solve it
HostKarma status (was Re: How to block mails from unknown ip
addresses?)
Posted by Rob McEwen <ro...@invaluement.com>.
On 8/24/2019 6:12 PM, Benny Pedersen wrote:
>> None of the mails is listed at hostkarma.junkemailfilter.com. I also
>> use junkemailfilter to score spam.
> unmaintained now
(BCC'ed to new HostKarma mgmt)
Not true. It is under /different/ management now. They are struggling a
little because of the large learning curve of abruptly stepping into
someone else's shoes on short notice, with lots of proprietary
code/processes. Some months ago, I talked to the main tech person over
there and he is a smart/good guy who is making MUCH progress. So it
looks like HostKarma is going to survive for the long term.
--
Rob McEwen
https://www.invaluement.com
Re: How to block mails from unknown ip addresses?
Posted by Benny Pedersen <me...@junc.eu>.
tbarth@txbweb.de skrev den 2019-08-24 20:27:
> Hello,
>
> I would like to block mails from ip addresses that cant be found.
> There is a tricky spam serie getting a low score. Currently I can
> block the mails just be scoring the tdl.
>
> I use the RelayCountry Plugin, but it dosnt work if the ip address is
> not available.
>
> header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country
> codes)/
> describe RELAYCOUNTRY_BAD Relayed through spam country at some
> point
> score RELAYCOUNTRY_BAD 3.5
correct rulee, but geoip is not working in your install
>
> Here some infos of an header examples
>
> X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31
> tests=[AM.WBL=7,
> BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1,
> DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
> FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
> RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
> T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
>
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail;
> d=strapdebut.pro;
> h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type;
> i=nonsense@strapdebut.pro;
> bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
>
> b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
>
> 3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2
> HOR8Zr3N45GuMa5iHdc=
> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail;
> d=strapdebut.pro;
>
> b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
>
> O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1
> SmcUvgGYccNp65I07nQ=;
> From: " Carol Yates" <no...@strapdebut.pro>
> Date: Sat, 24 Aug 2019 12:48:11 -0500
> MIME-Version: 1.0
> Subject: ACs are going to be extinct after this discovery
>
>
if the dkim singed domain is the spamming domain, you could then make
header test for this aswell
>
> Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM
> {RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5]
> <no...@strapdebut.pro> -> <us...@domain>, quarantine:
> N/spam-NHIkGYse9Osv.gz, Message-ID:
> <AE...@strapdebut.pro>,
> mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms
>
amavisd missing your wan ips, so it thinks you are openrelay, so policy
banks is incorrect selected
>
> # geoiplookup 45.141.151.5
> GeoIP Country Edition: IP Address not found
> GeoIP City Edition, Rev 1: IP u not found
> GeoIP ASNum Edition: IP Address not found
make sure geoip is installed correect
> None of the mails is listed at hostkarma.junkemailfilter.com. I also
> use junkemailfilter to score spam.
unmaintained now
Re: How to block mails from unknown ip addresses?
Posted by RW <rw...@googlemail.com>.
On Mon, 26 Aug 2019 09:07:47 +0200
Giovanni Bechis wrote:
> Updated geo databases are DB_File and GeoIP2 (fast does not support
> ipv6 and geoip is outdated). For DB_File you can/should update
> whenever you want but you do not have city info, for GeoIP2 you have
> more info ...
Just to be clear, Maxmind provides versions with or without city
information. AFAIK the only reason for using the much larger city
version with RelayCountry.pm is if you need that file for something
else.
Re: How to block mails from unknown ip addresses?
Posted by Giovanni Bechis <gi...@paclan.it>.
On 8/26/19 9:01 AM, Dominic Raferd wrote:
>
>
> On Sun, 25 Aug 2019 at 20:16, <tbarth@txbweb.de <ma...@txbweb.de>> wrote:
>
> Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:
>
> > I don't think you should download geoip postgres modules when what you
> > really need is apparently more recent database.
> >
> > Debian SA package suggests installing libgeo-ip-perl which further
> > recommends geoip-database.
> >
> > buster contains version 20181108-1, while buster-backports contains
> > version
> > 20190724-1~bpo10+1
> > Your problem could apparently be solves installing backported
> > geoip-database
> > version.
>
> I tried this already (described in e-Mail at 4:53 pm), but the ip
> address 45.141.151.5 wasn't in the backport geoip-database.
>
> >> Maybe I have tomatoes on my eyes. I can't find the right debian
> >> package with the DB_File-Module. Do you or someone else know which
> >> package does contain the module? I don't use the cpan shell for
> >> installing modules.
> >
> > it's very good that you don't use these. They can make mess on debian
> > system. Onlly install debian packages unless you really need and can
> > take
> > care of manually installed packages.
>
> Yes, as you can see I got a warnung and I installed the
> liblocale-codes-perl package.
>
> # ./pgeoiplookup.pl <http://pgeoiplookup.pl> -f /opt/ipcc/ipcc.db 45.141.151.5
> Locale::Country will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at ./pgeoiplookup.pl <http://pgeoiplookup.pl>, line 35.
> Locale::Codes will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
> line 22.
> GeoIP version 1566699945: TR, Turkey
>
>
> This has worked for me on Debian derivatives (Ubuntu...) to install GeoIP2 with the much faster XS implementation:
>
> cpan App::cpanminus &&\
> add-apt-repository -y ppa:maxmind/ppa &&\
> apt install libmaxminddb0 libmaxminddb-dev mmdb-bin &&\
> cpanm Math::Int128 &&\
> cpanm Net::Works::Network &&\
> cpanm MaxMind::DB::Reader::XS &&\
> cpanm GeoIP2::Database::Reader
>
Updated geo databases are DB_File and GeoIP2 (fast does not support ipv6 and geoip is outdated).
For DB_File you can/should update whenever you want but you do not have city info, for GeoIP2 you have more info but you
should wait Maxmind to update the database.
Giovanni
Re: How to block mails from unknown ip addresses?
Posted by Dominic Raferd <do...@timedicer.co.uk>.
On Sun, 25 Aug 2019 at 20:16, <tb...@txbweb.de> wrote:
> Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:
>
> > I don't think you should download geoip postgres modules when what you
> > really need is apparently more recent database.
> >
> > Debian SA package suggests installing libgeo-ip-perl which further
> > recommends geoip-database.
> >
> > buster contains version 20181108-1, while buster-backports contains
> > version
> > 20190724-1~bpo10+1
> > Your problem could apparently be solves installing backported
> > geoip-database
> > version.
>
> I tried this already (described in e-Mail at 4:53 pm), but the ip
> address 45.141.151.5 wasn't in the backport geoip-database.
>
> >> Maybe I have tomatoes on my eyes. I can't find the right debian
> >> package with the DB_File-Module. Do you or someone else know which
> >> package does contain the module? I don't use the cpan shell for
> >> installing modules.
> >
> > it's very good that you don't use these. They can make mess on debian
> > system. Onlly install debian packages unless you really need and can
> > take
> > care of manually installed packages.
>
> Yes, as you can see I got a warnung and I installed the
> liblocale-codes-perl package.
>
> # ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
> Locale::Country will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at ./pgeoiplookup.pl, line 35.
> Locale::Codes will be removed from the Perl core distribution in the
> next major release. Please install the separate liblocale-codes-perl
> package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
> line 22.
> GeoIP version 1566699945: TR, Turkey
>
This has worked for me on Debian derivatives (Ubuntu...) to install GeoIP2
with the much faster XS implementation:
cpan App::cpanminus &&\
add-apt-repository -y ppa:maxmind/ppa &&\
apt install libmaxminddb0 libmaxminddb-dev mmdb-bin &&\
cpanm Math::Int128 &&\
cpanm Net::Works::Network &&\
cpanm MaxMind::DB::Reader::XS &&\
cpanm GeoIP2::Database::Reader
Re: How to block mails from unknown ip addresses?
Posted by tb...@txbweb.de.
Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas:
> I don't think you should download geoip postgres modules when what you
> really need is apparently more recent database.
>
> Debian SA package suggests installing libgeo-ip-perl which further
> recommends geoip-database.
>
> buster contains version 20181108-1, while buster-backports contains
> version
> 20190724-1~bpo10+1
> Your problem could apparently be solves installing backported
> geoip-database
> version.
I tried this already (described in e-Mail at 4:53 pm), but the ip
address 45.141.151.5 wasn't in the backport geoip-database.
>> Maybe I have tomatoes on my eyes. I can't find the right debian
>> package with the DB_File-Module. Do you or someone else know which
>> package does contain the module? I don't use the cpan shell for
>> installing modules.
>
> it's very good that you don't use these. They can make mess on debian
> system. Onlly install debian packages unless you really need and can
> take
> care of manually installed packages.
Yes, as you can see I got a warnung and I installed the
liblocale-codes-perl package.
# ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
Locale::Country will be removed from the Perl core distribution in the
next major release. Please install the separate liblocale-codes-perl
package. It is being used at ./pgeoiplookup.pl, line 35.
Locale::Codes will be removed from the Perl core distribution in the
next major release. Please install the separate liblocale-codes-perl
package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
line 22.
GeoIP version 1566699945: TR, Turkey
Re: How to block mails from unknown ip addresses?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>Am 2019-08-25 17:34, schrieb Giovanni Bechis:
>>sorry, it's a tool I wrote to check ip addresses using ipcc.db
>>databases.
>>https://github.com/bigio/pgeoiplookup
On 25.08.19 20:26, tbarth@txbweb.de wrote:
>https://cwiki.apache.org/confluence/display/spamassassin/RelayCountryPlugin
>
>I've downloaded a db_file to an optional directory and set the
>variable "country_db_path" in /etc/spamassassin/local.cf
>(country_db_path /opt/ipcc/ipcc.db). spamassassin --lint displays no
>errors. If that works I can configure a cronjob for downloading the db
>file once a week.
>
>But I've a problem with your scipt.
>
>./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
>Can't locate IP/Country/DB_File.pm in @INC (you may need to install
>the IP::Country::DB_File module) (@INC contains: /etc/perl
>/usr/local/lib/x86_64-linux-gnu/perl/5.28.1
>/usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28
>/usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28
>/usr/share/perl/5.28 /usr/local/lib/site_perl
>/usr/lib/x86_64-linux-gnu/perl-base) at ./pgeoiplookup.pl line 34.
I don't think you should download geoip postgres modules when what you
really need is apparently more recent database.
Debian SA package suggests installing libgeo-ip-perl which further
recommends geoip-database.
buster contains version 20181108-1, while buster-backports contains version
20190724-1~bpo10+1
Your problem could apparently be solves installing backported geoip-database
version.
>Maybe I have tomatoes on my eyes. I can't find the right debian
>package with the DB_File-Module. Do you or someone else know which
>package does contain the module? I don't use the cpan shell for
>installing modules.
it's very good that you don't use these. They can make mess on debian
system. Onlly install debian packages unless you really need and can take
care of manually installed packages.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: How to block mails from unknown ip addresses?
Posted by tb...@txbweb.de.
Am 2019-08-25 17:34, schrieb Giovanni Bechis:
> sorry, it's a tool I wrote to check ip addresses using ipcc.db
> databases.
> https://github.com/bigio/pgeoiplookup
https://cwiki.apache.org/confluence/display/spamassassin/RelayCountryPlugin
I've downloaded a db_file to an optional directory and set the variable
"country_db_path" in /etc/spamassassin/local.cf (country_db_path
/opt/ipcc/ipcc.db). spamassassin --lint displays no errors. If that
works I can configure a cronjob for downloading the db file once a week.
But I've a problem with your scipt.
./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
Can't locate IP/Country/DB_File.pm in @INC (you may need to install the
IP::Country::DB_File module) (@INC contains: /etc/perl
/usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1
/usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5
/usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28
/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at
./pgeoiplookup.pl line 34.
Maybe I have tomatoes on my eyes. I can't find the right debian package
with the DB_File-Module. Do you or someone else know which package does
contain the module? I don't use the cpan shell for installing modules.
Re: How to block mails from unknown ip addresses?
Posted by tb...@txbweb.de.
Am 2019-08-25 17:34, schrieb Giovanni Bechis:
>> Hello, I can't find pgeoiplookup in the repository. I'm using Debian
>> Buster (10.0), but the geoip database in this release is from
>> 2018-11-08. So I actived backports to get a newer version from testing
>> (https://tracker.debian.org/pkg/geoip-database).
>>
> sorry, it's a tool I wrote to check ip addresses using ipcc.db
> databases.
> https://github.com/bigio/pgeoiplookup
>
Now I used the cpan shell. I thought it was a relict from the past. :)
install IP::Country
install IP::Country::DB_File
cpan[2]> exit
Terminal does not support GetHistory.
Lockfile removed.
# ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
Locale::Country will be removed from the Perl core distribution in the
next major release. Please install the separate liblocale-codes-perl
package. It is being used at ./pgeoiplookup.pl, line 35.
Locale::Codes will be removed from the Perl core distribution in the
next major release. Please install the separate liblocale-codes-perl
package. It is being used at /usr/share/perl/5.28/Locale/Country.pm,
line 22.
GeoIP version 1566699945: TR, Turkey
# aptitude install liblocale-codes-perl
The following NEW packages will be installed:
liblocale-codes-perl
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 250 kB of archives. After unpacking 2,406 kB will be used.
Get: 1 http://asi-fs-n.contabo.net/debian buster/main amd64
liblocale-codes-perl all 3.60-1 [250 kB]
Fetched 250 kB in 0s (3,663 kB/s)
Selecting previously unselected package liblocale-codes-perl.
(Reading database ... 45022 files and directories currently installed.)
Preparing to unpack .../liblocale-codes-perl_3.60-1_all.deb ...
Unpacking liblocale-codes-perl (3.60-1) ...
Setting up liblocale-codes-perl (3.60-1) ...
Processing triggers for man-db (2.8.5-2) ...
# ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5
GeoIP version 1566699945: TR, Turkey
Re: How to block mails from unknown ip addresses?
Posted by Giovanni Bechis <gi...@paclan.it>.
On Sun, Aug 25, 2019 at 04:53:36PM +0200, tbarth@txbweb.de wrote:
> Am 2019-08-25 10:18, schrieb Giovanni Bechis:
> > geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type
> > DB_File and it would
> > have matched that ip.
> >
> > -------------------------------------------------
> > $ pgeoiplookup 45.141.151.5
> > GeoIP version 1566720869: TR, Turkey
> > -------------------------------------------------
>
> Hello, I can't find pgeoiplookup in the repository. I'm using Debian
> Buster (10.0), but the geoip database in this release is from
> 2018-11-08. So I actived backports to get a newer version from testing
> (https://tracker.debian.org/pkg/geoip-database).
>
sorry, it's a tool I wrote to check ip addresses using ipcc.db databases.
https://github.com/bigio/pgeoiplookup
> # aptitude -t buster-backports install geoip-database
>
> Get: 1 http://deb.debian.org/debian buster-backports/main amd64
> geoip-database all 20190724-1~bpo10+1
>
GeoIP databases are no more updated by Maxmind, you should use a different
country_db_type in RelayCouuntry plugin (db_file or geoip2) to detect new ip addresses.
Giovanni
Re: How to block mails from unknown ip addresses?
Posted by tb...@txbweb.de.
Am 2019-08-25 10:18, schrieb Giovanni Bechis:
> geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type
> DB_File and it would
> have matched that ip.
>
> -------------------------------------------------
> $ pgeoiplookup 45.141.151.5
> GeoIP version 1566720869: TR, Turkey
> -------------------------------------------------
Hello, I can't find pgeoiplookup in the repository. I'm using Debian
Buster (10.0), but the geoip database in this release is from
2018-11-08. So I actived backports to get a newer version from testing
(https://tracker.debian.org/pkg/geoip-database).
# aptitude -t buster-backports install geoip-database
Get: 1 http://deb.debian.org/debian buster-backports/main amd64
geoip-database all 20190724-1~bpo10+1
ls -al /usr/share/GeoIP/
total 36060
drwxr-xr-x 2 root root 4096 Aug 25 16:35 .
drwxr-xr-x 131 root root 4096 Aug 10 12:37 ..
-rw-r--r-- 1 root root 4969864 Nov 8 2018 GeoIPASNum.dat
-rw-r--r-- 1 root root 22104026 Nov 8 2018 GeoIPCity.dat
-rw-r--r-- 1 root root 2022333 Jul 31 15:47 GeoIP.dat
-rw-r--r-- 1 root root 7811745 Jul 31 15:47 GeoIPv6.dat
The database is from 2019-07-24, but ip adress is still unknown :-/
root@mx2:~# geoiplookup 45.141.151.5
GeoIP Country Edition: IP Address not found
Seems that these intelligent spammers tend to use realy new ip-adresses
:)
Is there no solution for the relaycountry plugin to get a score if an ip
adress can't be found? I don't need the newest databases because the ip
adresses of good senders longer exist.
Thomas Barth
Re: How to block mails from unknown ip addresses?
Posted by Giovanni Bechis <gi...@paclan.it>.
On Sat, Aug 24, 2019 at 08:27:03PM +0200, tbarth@txbweb.de wrote:
> Hello,
>
> I would like to block mails from ip addresses that cant be found. There
> is a tricky spam serie getting a low score. Currently I can block the
> mails just be scoring the tdl.
>
> I use the RelayCountry Plugin, but it dosnt work if the ip address is
> not available.
>
> header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country
> codes)/
> describe RELAYCOUNTRY_BAD Relayed through spam country at some
> point
> score RELAYCOUNTRY_BAD 3.5
>
>
> Here some infos of an header examples
>
> X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31
> tests=[AM.WBL=7,
> BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1,
> DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
> FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
> RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
> T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
>
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail;
> d=strapdebut.pro;
> h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type;
> i=nonsense@strapdebut.pro;
> bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
>
> b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
>
> 3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2
> HOR8Zr3N45GuMa5iHdc=
> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail;
> d=strapdebut.pro;
>
> b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
>
> O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1
> SmcUvgGYccNp65I07nQ=;
> From: " Carol Yates" <no...@strapdebut.pro>
> Date: Sat, 24 Aug 2019 12:48:11 -0500
> MIME-Version: 1.0
> Subject: ACs are going to be extinct after this discovery
>
>
>
> Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM
> {RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5]
> <no...@strapdebut.pro> -> <us...@domain>, quarantine:
> N/spam-NHIkGYse9Osv.gz, Message-ID:
> <AE...@strapdebut.pro>,
> mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms
>
>
> # geoiplookup 45.141.151.5
> GeoIP Country Edition: IP Address not found
> GeoIP City Edition, Rev 1: IP Address not found
> GeoIP ASNum Edition: IP Address not found
>
geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type DB_File and it would
have matched that ip.
-------------------------------------------------
$ pgeoiplookup 45.141.151.5
GeoIP version 1566720869: TR, Turkey
-------------------------------------------------
Giovanni