You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Jon D. Slater" <Jo...@MesaNetworks.Net> on 2006/12/13 01:31:31 UTC
Good source for IP addresses by country
I know this is a bit off topic, but does anyone know a good source that
breaks down IP addresses by country?
I’ve added a number of IP addresses to my hosts.deny file just from
‘experience’.
My server never gets e-mail from countries outside of the US. So, I’m
looking for an effective way to block by country.
I’ve tried adding “.cn” and “.jp”, etc. but many ‘invaders’ come in by IP
address alone.
Any suggestions?
Thanks!
Jon
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
4:32 PM
RE: Good source for IP addresses by country
Posted by "Coffey, Neal" <nc...@langeveld.com>.
Matt Kettler wrote:
> That said, if you want to score on the nerds rule, you'll need to
> modify it to not have __ in front of the name, and add a "score" line.
> Currently it's set up to be a sub-test for a meta rule.
No, that's what RCVD_IN_NERDS_CN and RCVD_IN_NERDS_KR are for. If he
scored __RCVD_IN_NERDS directly, he'd end up adding points to every
message from any country listed their BL, not just the countries he'd
like to block.
If my understanding of the setup is correct (I've never written an RBL
rule), the __RCVD_IN_NERDS rule does the lookup, and stores the response
as 'nerds'. Then RCVD_IN_NERDS_CN compares the 'nerds' value to
'127.0.0.156', and if they're the same, the rule matches.
Re: Good source for IP addresses by country
Posted by Matt Kettler <mk...@verizon.net>.
Peter Matulis wrote:
> --- Ken A <ka...@pacific.net> wrote:
>
>
>> Jon D. Slater wrote:
>>
>>> I know this is a bit off topic, but does anyone know a good source
>>>
>> that
>>
>>> breaks down IP addresses by country?
>>>
>>>
>>>
>>> I’ve added a number of IP addresses to my hosts.deny file just from
>>> ‘experience’.
>>>
>>>
>>>
>>> My server never gets e-mail from countries outside of the US. So,
>>>
>> I’m
>>
>>> looking for an effective way to block by country.
>>>
>> header __RCVD_IN_NERDS
>> eval:check_rbl('nerds','zz.countries.nerd.dk.')
>> describe __RCVD_IN_NERDS Received from a spam country
>> tflags __RCVD_IN_NERDS net
>>
>> header RCVD_IN_NERDS_CN
>> eval:check_rbl_sub('nerds','127.0.0.156')
>> describe RCVD_IN_NERDS_CN Received from China
>> tflags RCVD_IN_NERDS_CN net
>> score RCVD_IN_NERDS_CN 2.5
>>
>
> I tried this but my glue technology (amavisd-new) appears to spit
> errors when I run it in SA debug mode:
>
> [7771] info: config: SpamAssassin failed to parse line, no value
> provided for "header", skipping: header __RCVD_IN_NERDS
> [7771] info: config: failed to parse line, skipping:
> eval:check_rbl('nerds','zz.countries.nerd.dk.')
>
>
> What I did is add the following to local.cf:
>
> header __RCVD_IN_NERDS
> eval:check_rbl('nerds','zz.countries.nerd.dk.')
> describe __RCVD_IN_NERDS Received from a spam country
> tflags __RCVD_IN_NERDS net
Get rid of the extra line-wrap. That should be 3 lines each starting
with: "header" "describe" and "tflags".
That said, if you want to score on the nerds rule, you'll need to modify
it to not have __ in front of the name, and add a "score" line.
Currently it's set up to be a sub-test for a meta rule.
Re: Good source for IP addresses by country
Posted by Peter Matulis <pe...@yahoo.ca>.
--- Ken A <ka...@pacific.net> wrote:
>
>
> Jon D. Slater wrote:
> > I know this is a bit off topic, but does anyone know a good source
> that
> > breaks down IP addresses by country?
> >
> >
> >
> > Ive added a number of IP addresses to my hosts.deny file just from
> > experience.
> >
> >
> >
> > My server never gets e-mail from countries outside of the US. So,
> Im
> > looking for an effective way to block by country.
>
> header __RCVD_IN_NERDS
> eval:check_rbl('nerds','zz.countries.nerd.dk.')
> describe __RCVD_IN_NERDS Received from a spam country
> tflags __RCVD_IN_NERDS net
>
> header RCVD_IN_NERDS_CN
> eval:check_rbl_sub('nerds','127.0.0.156')
> describe RCVD_IN_NERDS_CN Received from China
> tflags RCVD_IN_NERDS_CN net
> score RCVD_IN_NERDS_CN 2.5
I tried this but my glue technology (amavisd-new) appears to spit
errors when I run it in SA debug mode:
[7771] info: config: SpamAssassin failed to parse line, no value
provided for "header", skipping: header __RCVD_IN_NERDS
[7771] info: config: failed to parse line, skipping:
eval:check_rbl('nerds','zz.countries.nerd.dk.')
[7771] info: config: SpamAssassin failed to parse line, no value
provided for "header", skipping: header RCVD_IN_NERDS_CN
[7771] info: config: failed to parse line, skipping:
eval:check_rbl_sub('nerds','127.0.0.156')
[7771] info: config: SpamAssassin failed to parse line, no value
provided for "header", skipping: header RCVD_IN_NERDS_KR
[7771] info: config: failed to parse line, skipping:
eval:check_rbl_sub('nerds','127.0.0.154')
What I did is add the following to local.cf:
header __RCVD_IN_NERDS
eval:check_rbl('nerds','zz.countries.nerd.dk.')
describe __RCVD_IN_NERDS Received from a spam country
tflags __RCVD_IN_NERDS net
header RCVD_IN_NERDS_CN
eval:check_rbl_sub('nerds','127.0.0.156')
describe RCVD_IN_NERDS_CN Received from China
tflags RCVD_IN_NERDS_CN net
score RCVD_IN_NERDS_CN 2.0
header RCVD_IN_NERDS_KR
eval:check_rbl_sub('nerds','127.0.0.154')
describe RCVD_IN_NERDS_KR Received from Rep. of Korea
tflags RCVD_IN_NERDS_KR net
score RCVD_IN_NERDS_KR 2.0
Peter
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Good source for IP addresses by country
Posted by Ken A <ka...@pacific.net>.
Jon D. Slater wrote:
> I know this is a bit off topic, but does anyone know a good source that
> breaks down IP addresses by country?
>
>
>
> I’ve added a number of IP addresses to my hosts.deny file just from
> ‘experience’.
>
>
>
> My server never gets e-mail from countries outside of the US. So, I’m
> looking for an effective way to block by country.
header __RCVD_IN_NERDS
eval:check_rbl('nerds','zz.countries.nerd.dk.')
describe __RCVD_IN_NERDS Received from a spam country
tflags __RCVD_IN_NERDS net
header RCVD_IN_NERDS_CN
eval:check_rbl_sub('nerds','127.0.0.156')
describe RCVD_IN_NERDS_CN Received from China
tflags RCVD_IN_NERDS_CN net
score RCVD_IN_NERDS_CN 2.5
etc...
See http://countries.nerd.dk/ for more info.
Ken A
Pacific.Net
>
>
> I’ve tried adding “.cn” and “.jp”, etc. but many ‘invaders’ come in by IP
> address alone.
>
>
>
> Any suggestions?
>
>
>
> Thanks!
>
>
>
> Jon
>
>
Re: Good source for IP addresses by country
Posted by Ray Anderson <rs...@rb-com.com>.
My $.02, (and that's about all it's worth).
I was running a server with 1and1 who uses ip address blocks assigned to
Amsterdam.
The server was physically located in New York City.
I had several customers who could not send mail outbound because people
hate to receive mail from Amsterdam. Period.
After calling just about everyone on the planet, I gave up and moved the
server to a different provider (after checking the IP blocks).
-=Ray
Michele Neylon :: Blacknight wrote:
> You could simply use Geoip scoring using this lot:
> http://countries.nerd.dk/
>
> It's pretty effective..
>
> http://www.mneylon.com/blog/archives/2005/01/15/geo-specific-scoring/
>
> Regards
>
> Michele
>
>
>
Re: Good source for IP addresses by country
Posted by "John D. Hardin" <jh...@impsec.org>.
On Wed, 13 Dec 2006, Michele Neylon :: Blacknight wrote:
> You could simply use Geoip scoring using this lot:
> http://countries.nerd.dk/
If you're looking for hosts.allow or firewall-friendly CIDR format
entries, take a look at www.blackholes.us
You can get the zone files and CIDR files via rsync.
They also have data for certain large providers (sadly excluding
t-dialin).
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The question of whether people should be allowed to harm themselves
is simple. They *must*. -- Charles Murray
-----------------------------------------------------------------------
3 days until Bill of Rights day
Re: Good source for IP addresses by country
Posted by "Michele Neylon :: Blacknight" <mi...@blacknight.ie>.
You could simply use Geoip scoring using this lot:
http://countries.nerd.dk/
It's pretty effective..
http://www.mneylon.com/blog/archives/2005/01/15/geo-specific-scoring/
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59 9183072
UK: 0870 163 0607
Fax. +353 (0) 59 9164239