You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Dan <a...@patnode.net> on 2006/05/01 09:15:27 UTC

Blocking IPs

I'm building a list of IP ranges (currently CIDRs) and want to use  
them to:

1) Tag/block messages that arrive (directly and indirectly) from IPs  
in these ranges

2) Tag/block messages with URIs that point to IPs in these ranges


What is the best way to define specific/fixed IP ranges for  
blocking?  Can the URI lookup system be configured to check A-record  
IPs against these lists or if needed, separately defined IP range lists?

Thanks,
Dan

Re: Blocking IPs

Posted by Alejandro Lengua <al...@gmail.com>.

Yeah,
It would be great to have SpamAssassin combined with tools like APF and BFD
(http://www.rfxnetworks.com/bfd.php)


On 5/1/06, Dan <a...@patnode.net> wrote:
>
> > SA does support ordinary DNS based blacklists using A record or TXT
> > record queries.
>
> Is there a text file way to do it, like?:
>
> header TEST1 CIDR /151.44.165.138\/24/
>
>
> Dan
>



--
Atentamente / Kind regards

Alejandro Lengua,

Re: Blocking IPs

Posted by Theo Van Dinter <fe...@apache.org>.

On Mon, May 01, 2006 at 03:38:27PM -0700, Dan wrote:
> Is there a text file way to do it, like?:
> header TEST1 CIDR /151.44.165.138\/24/

You could do that, or you could use the AccessDB plugin which would allow that
to be done easier.

-- 
Randomly Generated Tagline:
"Please do not blame Sendmail for every problem in the world." - Wietse Venema

Re: Blocking IPs

Posted by Dan <a...@patnode.net>.

> Can be done with brute-force rule creation, EG:
>
>   # ISKIMARO 66.55.160.0/19  (12/8/05) SBL11507
>   header L_RCVD_SPAMMER161     Received =~ /\[66\.55\.1[678]\d\.\d 
> {1,3}\]/
>   describe L_RCVD_SPAMMER161   ISKIMARO Spamhaus
>   score L_RCVD_SPAMMER161      1.5
>
> Bit of a pain to maintain but does work.


The only SA feature I like more than "eval:helo_ip_mismatch()" is the  
meta system.  Thinking about this overnight, I have a whole new  
approach:


PROBLEM
SpamHaus is good but not perfect, most entries (old and new) can be  
blocked outright.


OLD SOLUTION
Create duplicate positive entries (IP/RBL) to catch most of what  
SpamHaus says should be positive.  Result: huge private list of  
spammers to build and maintain.


NEW SOLUTION
Create duplicate negative entries (IP/RBL) to uncatch some of what  
SpamHaus says should be postive.  Result: small private list of  
exceptions to build and maintain.  Something like:

__PublicSpamHaus
__AntiSpamHaus

meta    SpamHausCapture    __PublicSpamHaus && !__AntiSpamHaus


...basically, micro whitelisting.


Dan

Re: Blocking IPs

Posted by Dan <a...@patnode.net>.

> Can be done with brute-force rule creation, EG:
>
>   # ISKIMARO 66.55.160.0/19  (12/8/05) SBL11507
>   header L_RCVD_SPAMMER161     Received =~ /\[66\.55\.1[678]\d\.\d 
> {1,3}\]/
>   describe L_RCVD_SPAMMER161   ISKIMARO Spamhaus
>   score L_RCVD_SPAMMER161      1.5
>
> Bit of a pain to maintain but does work.

I see what you mean David.  And your example reminds me of one of my  
professional spammer techniques: score Spamhaus entries and then  
manually block those spam producing IP entries I agree with.

I just need to let go of my text file 'unified system' mind set and  
adopt the modular approach SA prefers.  Once configured, several  
private dnsbl's will probably be pretty sweet.  Its just a whole  
other layer of things to learn and configure.

Dan

Re: Blocking IPs

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Mon, 1 May 2006, Dan wrote:

> Bummer.  That works with absolute blocking, like with narrow
> professional spammer ranges, but not so well with IP based suspect
> ISP, country or regional scoring for mixed spam/ham.  I'll keep looking.

Can be done with brute-force rule creation, EG:

  # ISKIMARO 66.55.160.0/19  (12/8/05) SBL11507
  header L_RCVD_SPAMMER161     Received =~ /\[66\.55\.1[678]\d\.\d{1,3}\]/
  describe L_RCVD_SPAMMER161   ISKIMARO Spamhaus
  score L_RCVD_SPAMMER161      1.5

Bit of a pain to maintain but does work.


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: Blocking IPs

Posted by Dan <a...@patnode.net>.

> No. You can set up your own rbldnsd, but that's about as close as  
> you get.
>
> Most of us who have an explicit IP or IP range we want to block either
> use our firewalls, or our MTA access controls to deny the message  
> before
> it ever gets delivered. This saves us considerable bandwidth and
> processing time.

Bummer.  That works with absolute blocking, like with narrow  
professional spammer ranges, but not so well with IP based suspect  
ISP, country or regional scoring for mixed spam/ham.  I'll keep looking.

Thanks again,
Dan

Re: Blocking IPs

Posted by Matt Kettler <mk...@comcast.net>.

Dan wrote:
>> SA does support ordinary DNS based blacklists using A record or TXT
>> record queries.
>
> Is there a text file way to do it, like?:
>
> header TEST1 CIDR /151.44.165.138\/24/

No. You can set up your own rbldnsd, but that's about as close as you get.

Most of us who have an explicit IP or IP range we want to block either
use our firewalls, or our MTA access controls to deny the message before
it ever gets delivered. This saves us considerable bandwidth and
processing time.

Re: Blocking IPs

Posted by Dan <a...@patnode.net>.

> SA does support ordinary DNS based blacklists using A record or TXT
> record queries.

Is there a text file way to do it, like?:

header TEST1 CIDR /151.44.165.138\/24/


Dan

Re: Blocking IPs

Posted by Matt Kettler <mk...@comcast.net>.

Dan wrote:
> I'm building a list of IP ranges (currently CIDRs) and want to use
> them to:
>
> 1) Tag/block messages that arrive (directly and indirectly) from IPs
> in these ranges
>
> 2) Tag/block messages with URIs that point to IPs in these ranges
>
>
> What is the best way to define specific/fixed IP ranges for blocking? 
> Can the URI lookup system be configured to check A-record IPs against
> these lists or if needed, separately defined IP range lists?
SA does support ordinary DNS based blacklists using A record or TXT
record queries.

See the default 20_dnsbl_tests.cf for examples.

http://spamassassin.apache.org/full/3.1.x/dist/rules/20_dnsbl_tests.cf

It also supports URI lookups, through another plugin:
http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html

And some associated rules:
http://spamassassin.apache.org/full/3.1.x/dist/rules/25_uribl.cf
>
> Thanks,
> Dan
>