You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dan <a...@patnode.net> on 2006/05/01 09:15:27 UTC
Blocking IPs
I'm building a list of IP ranges (currently CIDRs) and want to use
them to:
1) Tag/block messages that arrive (directly and indirectly) from IPs
in these ranges
2) Tag/block messages with URIs that point to IPs in these ranges
What is the best way to define specific/fixed IP ranges for
blocking? Can the URI lookup system be configured to check A-record
IPs against these lists or if needed, separately defined IP range lists?
Thanks,
Dan
Re: Blocking IPs
Posted by Alejandro Lengua <al...@gmail.com>.
Yeah,
It would be great to have SpamAssassin combined with tools like APF and BFD
(http://www.rfxnetworks.com/bfd.php)
On 5/1/06, Dan <a...@patnode.net> wrote:
>
> > SA does support ordinary DNS based blacklists using A record or TXT
> > record queries.
>
> Is there a text file way to do it, like?:
>
> header TEST1 CIDR /151.44.165.138\/24/
>
>
> Dan
>
--
Atentamente / Kind regards
Alejandro Lengua,
Re: Blocking IPs
Posted by Theo Van Dinter <fe...@apache.org>.
On Mon, May 01, 2006 at 03:38:27PM -0700, Dan wrote:
> Is there a text file way to do it, like?:
> header TEST1 CIDR /151.44.165.138\/24/
You could do that, or you could use the AccessDB plugin which would allow that
to be done easier.
--
Randomly Generated Tagline:
"Please do not blame Sendmail for every problem in the world." - Wietse Venema
Re: Blocking IPs
Posted by Dan <a...@patnode.net>.
> Can be done with brute-force rule creation, EG:
>
> # ISKIMARO 66.55.160.0/19 (12/8/05) SBL11507
> header L_RCVD_SPAMMER161 Received =~ /\[66\.55\.1[678]\d\.\d
> {1,3}\]/
> describe L_RCVD_SPAMMER161 ISKIMARO Spamhaus
> score L_RCVD_SPAMMER161 1.5
>
> Bit of a pain to maintain but does work.
The only SA feature I like more than "eval:helo_ip_mismatch()" is the
meta system. Thinking about this overnight, I have a whole new
approach:
PROBLEM
SpamHaus is good but not perfect, most entries (old and new) can be
blocked outright.
OLD SOLUTION
Create duplicate positive entries (IP/RBL) to catch most of what
SpamHaus says should be positive. Result: huge private list of
spammers to build and maintain.
NEW SOLUTION
Create duplicate negative entries (IP/RBL) to uncatch some of what
SpamHaus says should be postive. Result: small private list of
exceptions to build and maintain. Something like:
__PublicSpamHaus
__AntiSpamHaus
meta SpamHausCapture __PublicSpamHaus && !__AntiSpamHaus
...basically, micro whitelisting.
Dan
Re: Blocking IPs
Posted by Dan <a...@patnode.net>.
> Can be done with brute-force rule creation, EG:
>
> # ISKIMARO 66.55.160.0/19 (12/8/05) SBL11507
> header L_RCVD_SPAMMER161 Received =~ /\[66\.55\.1[678]\d\.\d
> {1,3}\]/
> describe L_RCVD_SPAMMER161 ISKIMARO Spamhaus
> score L_RCVD_SPAMMER161 1.5
>
> Bit of a pain to maintain but does work.
I see what you mean David. And your example reminds me of one of my
professional spammer techniques: score Spamhaus entries and then
manually block those spam producing IP entries I agree with.
I just need to let go of my text file 'unified system' mind set and
adopt the modular approach SA prefers. Once configured, several
private dnsbl's will probably be pretty sweet. Its just a whole
other layer of things to learn and configure.
Dan
Re: Blocking IPs
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Mon, 1 May 2006, Dan wrote:
> Bummer. That works with absolute blocking, like with narrow
> professional spammer ranges, but not so well with IP based suspect
> ISP, country or regional scoring for mixed spam/ham. I'll keep looking.
Can be done with brute-force rule creation, EG:
# ISKIMARO 66.55.160.0/19 (12/8/05) SBL11507
header L_RCVD_SPAMMER161 Received =~ /\[66\.55\.1[678]\d\.\d{1,3}\]/
describe L_RCVD_SPAMMER161 ISKIMARO Spamhaus
score L_RCVD_SPAMMER161 1.5
Bit of a pain to maintain but does work.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Blocking IPs
Posted by Dan <a...@patnode.net>.
> No. You can set up your own rbldnsd, but that's about as close as
> you get.
>
> Most of us who have an explicit IP or IP range we want to block either
> use our firewalls, or our MTA access controls to deny the message
> before
> it ever gets delivered. This saves us considerable bandwidth and
> processing time.
Bummer. That works with absolute blocking, like with narrow
professional spammer ranges, but not so well with IP based suspect
ISP, country or regional scoring for mixed spam/ham. I'll keep looking.
Thanks again,
Dan
Re: Blocking IPs
Posted by Matt Kettler <mk...@comcast.net>.
Dan wrote:
>> SA does support ordinary DNS based blacklists using A record or TXT
>> record queries.
>
> Is there a text file way to do it, like?:
>
> header TEST1 CIDR /151.44.165.138\/24/
No. You can set up your own rbldnsd, but that's about as close as you get.
Most of us who have an explicit IP or IP range we want to block either
use our firewalls, or our MTA access controls to deny the message before
it ever gets delivered. This saves us considerable bandwidth and
processing time.
Re: Blocking IPs
Posted by Dan <a...@patnode.net>.
> SA does support ordinary DNS based blacklists using A record or TXT
> record queries.
Is there a text file way to do it, like?:
header TEST1 CIDR /151.44.165.138\/24/
Dan
Re: Blocking IPs
Posted by Matt Kettler <mk...@comcast.net>.
Dan wrote:
> I'm building a list of IP ranges (currently CIDRs) and want to use
> them to:
>
> 1) Tag/block messages that arrive (directly and indirectly) from IPs
> in these ranges
>
> 2) Tag/block messages with URIs that point to IPs in these ranges
>
>
> What is the best way to define specific/fixed IP ranges for blocking?
> Can the URI lookup system be configured to check A-record IPs against
> these lists or if needed, separately defined IP range lists?
SA does support ordinary DNS based blacklists using A record or TXT
record queries.
See the default 20_dnsbl_tests.cf for examples.
http://spamassassin.apache.org/full/3.1.x/dist/rules/20_dnsbl_tests.cf
It also supports URI lookups, through another plugin:
http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html
And some associated rules:
http://spamassassin.apache.org/full/3.1.x/dist/rules/25_uribl.cf
>
> Thanks,
> Dan
>