Block entire Countries by IPs
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
Block entire Countries by IPs
Hello everyone,
Just started using this wonderful product in our office and while it is doing great. I would like to ask a few questions that after searching have not found clear answers on how to perform.
1) How would i go about blocking entire IP ranges from countries. I use https://www.countryipblocks.net/country_selection.php
to pull a CIDR list of IPs but how would i go about importing the list into EFA to reject or discard any email from countries i select?
2) Block all subdomains. I've used the /postfix/sender_access to block certain TLD's like .top and .pro
Can i just add things like:
.domain.com to the same list to reject all emails from both that main domain, and all subdomains?
3) Does spamassassin update on its own? Or does a shell command have to be run?
4) i'm noticing a lot of bulk emails (i know bulk emails are not unsolicited spam) however, how can I make the scoring of emails a little more aggressive?
5) How can I add a tag to identified Bulk email? Such as **Bulk**
Just started using this wonderful product in our office and while it is doing great. I would like to ask a few questions that after searching have not found clear answers on how to perform.
1) How would i go about blocking entire IP ranges from countries. I use https://www.countryipblocks.net/country_selection.php
to pull a CIDR list of IPs but how would i go about importing the list into EFA to reject or discard any email from countries i select?
2) Block all subdomains. I've used the /postfix/sender_access to block certain TLD's like .top and .pro
Can i just add things like:
.domain.com to the same list to reject all emails from both that main domain, and all subdomains?
3) Does spamassassin update on its own? Or does a shell command have to be run?
4) i'm noticing a lot of bulk emails (i know bulk emails are not unsolicited spam) however, how can I make the scoring of emails a little more aggressive?
5) How can I add a tag to identified Bulk email? Such as **Bulk**
Re: Block entire Countries by IPs
Regarding your Block Countries,northwindit wrote:Hello everyone,
Just started using this wonderful product in our office and while it is doing great. I would like to ask a few questions that after searching have not found clear answers on how to perform.
1) How would i go about blocking entire IP ranges from countries. I use https://www.countryipblocks.net/country_selection.php
to pull a CIDR list of IPs but how would i go about importing the list into EFA to reject or discard any email from countries i select?
2) Block all subdomains. I've used the /postfix/sender_access to block certain TLD's like .top and .pro
Can i just add things like:
.domain.com to the same list to reject all emails from both that main domain, and all subdomains?
3) Does spamassassin update on its own? Or does a shell command have to be run?
4) i'm noticing a lot of bulk emails (i know bulk emails are not unsolicited spam) however, how can I make the scoring of emails a little more aggressive?
5) How can I add a tag to identified Bulk email? Such as **Bulk**
you have the RelayCountry plugin on SpamAssassin that you can use like me.
inside: /etc/MailScanner/spam.assassin.prefs.conf
I put:
Code: Select all
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(RU|CN|KR|KP|IR)/
describe RELAYCOUNTRY_BAD Relayed through foreign countries
score RELAYCOUNTRY_BAD 4.5
header RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(IL)/
describe RELAYCOUNTRY_GOOD First trusted relay IPs from Israel :-)
score RELAYCOUNTRY_GOOD -0.2
I'm using postfix postscreen technic so all those countries stopped at the SMTP protocol level,
but if they get past.. well, they get more points on spam to their total score, according to my RegEx rule in spam.assassin.prefs.conf
with the implementation of X-Relay-Countries.
but if they came from Israel where all my mail servers traffic come from or go to
i'll lower their score a little.
I don't think that in any case you should use restricted on countries, but you have the option.
check: https://wiki.apache.org/spamassassin/RelayCountryPlugin
Regards,
Zohman.
Re: Block entire Countries by IPs
any idea how to debug the RelayCountry plugin?
I have added a rule just for testing:
The plugin is activated:
yet no headers at all have been added to any incoming emails nor has any email hit the filter even though I did send a few emails from a German test server which should have scored the 0.1 score :-/
shows no error at all
###edit###
Finally an email hit the fitler:
but it didn't have the header added :-/
P.S. How can I check whether the RelayCountry plugin is using GEO::IP or IP::Country::Fast? (The reason I am asking as both are installed and the filter doesn't hit with every IP from my test countries.)
I have added a rule just for testing:
Code: Select all
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|DE)/
describe RELAYCOUNTRY_BAD Testing country relay plugin
score RELAYCOUNTRY_BAD 0.1
Code: Select all
loadplugin Mail::SpamAssassin::Plugin::RelayCountry
# always show relaying countries in header
add_header all X-Relay-Countries _RELAYCOUNTRY_
Code: Select all
spamassassin --lint
###edit###
Finally an email hit the fitler:
Code: Select all
0.10 RELAYCOUNTRY_BAD
P.S. How can I check whether the RelayCountry plugin is using GEO::IP or IP::Country::Fast? (The reason I am asking as both are installed and the filter doesn't hit with every IP from my test countries.)
- shawniverson
- Posts: 3777
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Block entire Countries by IPs
Do you have these symlinks present and are they valid?
/usr/share/GeoIP
/usr/share/GeoIP
Code: Select all
lrwxrwxrwx 1 root root 18 May 24 2015 GeoIP.dat -> GeoLiteCountry.dat
lrwxrwxrwx 1 root root 40 Mar 19 08:52 GeoLiteCountry.dat -> /var/www/html/mailscanner/temp/GeoIP.dat
Re: Block entire Countries by IPs
Looks good:
Code: Select all
ls -al /usr/share/GeoIP
total 48248
drwxr-xr-x. 3 root root 4096 Jul 1 14:16 .
drwxr-xr-x. 101 root root 4096 Jun 4 07:48 ..
drwxr-xr-x 2 root root 4096 Apr 13 2015 download
lrwxrwxrwx. 1 root root 16 Mar 19 17:30 GeoIPASNum.dat -> GeoLiteASNum.dat
-rw-r--r--. 1 root root 4814990 Dec 11 2015 GeoIPASNumv6.dat
lrwxrwxrwx. 1 root root 15 Mar 19 17:30 GeoIPCity.dat -> GeoLiteCity.dat
lrwxrwxrwx. 1 root root 17 Mar 19 17:30 GeoIPCityv6.dat -> GeoLiteCityv6.dat
lrwxrwxrwx. 1 root root 18 Mar 19 17:31 GeoIP.dat -> GeoLiteCountry.dat
-rw-r--r--. 1 root root 1532813 Dec 11 2015 GeoIPv6.dat
-rw-r--r--. 1 root root 4021810 Dec 11 2015 GeoLiteASNum.dat
lrwxrwxrwx. 1 root root 16 Mar 19 17:30 GeoLiteASNumv6.dat -> GeoIPASNumv6.dat
-rw-r--r--. 1 root root 19148749 Dec 11 2015 GeoLiteCity.dat
-rw-r--r--. 1 root root 19867028 Dec 11 2015 GeoLiteCityv6.dat
lrwxrwxrwx. 1 root root 40 Mar 19 17:41 GeoLiteCountry.dat -> /var/www/html/mailscanner/temp/GeoIP.dat
Code: Select all
ls -al /var/www/html/mailscanner/temp/GeoIP.dat
-rw-r--r-- 1 apache apache 890597 Jun 27 08:40 /var/www/html/mailscanner/temp/GeoIP.dat
Re: Block entire Countries by IPs
hm, it started working with some meta rules:
although the header still seems to not be added.
Code: Select all
# if BAYES 99 or 999 and relayed through bad country then amplify
header __RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|SU|TW|MD|JP|BR|US)/
meta _jacob_BAD_COUNTRY_PENALTY (__RELAYCOUNTRY_BAD && (BAYES_99 || BAYES_999))
describe _jacob_BAD_COUNTRY_PENALTY Relayed through dodgy countries at some point and BAYES SPAM
score _jacob_BAD_COUNTRY_PENALTY 1.5
# if BAYES 00 or WL and relayed through good country then lower score
header __RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(ZA|DE|BR)/
meta _jacob_GOOD_COUNTRY_BONUS (__RELAYCOUNTRY_GOOD && (BAYES_00 || BAYES_WL))
describe _jacob_GOOD_COUNTRY_BONUS Relayed through a good country and BAYES HAM
score _jacob_GOOD_COUNTRY_BONUS -1.00
Re: Block entire Countries by IPs
Were did you add these rules? Were is the file?
Re: Block entire Countries by IPs
This will add extra 2.50 score to emails sent from those countries:
To this file:
/etc/mail/spamassassin/local.cf
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(NE|NG|AF|AX|AL|DZ|AS|AD|AO|AI|AG|AW|BS|BH|BB|BZ|BJ|BT|BO|BQ|BA|BW|BV|IO|BN|BF|BI|KH|CM|CV|KY|CF|CL|TD|CX|CC|CO|KM|CG|CD|CK|CI|CR|HR|CU|CW|DK|DJ|DM|DO|EC|EG|SV|GQ|EG|ER|EE|ET|FO|FK|FJ|GF|PF|TF|GM|GE|GI|GH|GI|GR|GL|GD|GP|GU|GT|GG|GN|GW|GY|HT|HM|HN|HK|IS|IN|IQ|IM|IL|JM|JP|JE|JO|KE|KI|KP|KR|KW|KG|LA|LV|LB|LS|LR|LY|LI|LT|LU|MO|MK|MG|MW|MY|MV|ML|MT|MH|MQ|MR|MU|YT|FM|MD|MC|MN|ME|MS|MA|MZ|MM|NA|NR|NP|AN|NC|NZ|NI|NU|NF|NO|NP|OM|PW|PS|PA|PG|PY|PE|PH|PN|PL|PT|PR|QA|RE|RO|RW|BL|SH|KN|LC|MF|PM|VC|WS|SM|ST|SA|SN|RS|SC|SL|SG|SX|SK|SI|SB|SO|ZA|GS|SS|LK|SD|SR|SJ|SZ|SE|SY|TW|TJ|TZ|TH|TL|TG|TK|TO|TT|TN|TR|TM|TC|TV|UG|UM|UY|UZ|VU|VA|VE|VN|VG|WI|WF|EH|YE|ZM|ZW|PK|BR|LK|MK|TH|CO|HN|HR|RS|CZ|EC|HT|CM|VE|BD|SG|IR|TR|KE|GA|UG|CA|QA|CN|KR|HU|PL|ID|ZA|VN|HK|IL|IN|AR|BG|RO|TR|MY|MX|NZ|SA|IR|KG|SG)/
score RELAYCOUNTRY_BAD 2.50
Full List of country codes:
https://www.unc.edu/~rowlett/units/codes/country.htm
To this file:
/etc/mail/spamassassin/local.cf
header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(NE|NG|AF|AX|AL|DZ|AS|AD|AO|AI|AG|AW|BS|BH|BB|BZ|BJ|BT|BO|BQ|BA|BW|BV|IO|BN|BF|BI|KH|CM|CV|KY|CF|CL|TD|CX|CC|CO|KM|CG|CD|CK|CI|CR|HR|CU|CW|DK|DJ|DM|DO|EC|EG|SV|GQ|EG|ER|EE|ET|FO|FK|FJ|GF|PF|TF|GM|GE|GI|GH|GI|GR|GL|GD|GP|GU|GT|GG|GN|GW|GY|HT|HM|HN|HK|IS|IN|IQ|IM|IL|JM|JP|JE|JO|KE|KI|KP|KR|KW|KG|LA|LV|LB|LS|LR|LY|LI|LT|LU|MO|MK|MG|MW|MY|MV|ML|MT|MH|MQ|MR|MU|YT|FM|MD|MC|MN|ME|MS|MA|MZ|MM|NA|NR|NP|AN|NC|NZ|NI|NU|NF|NO|NP|OM|PW|PS|PA|PG|PY|PE|PH|PN|PL|PT|PR|QA|RE|RO|RW|BL|SH|KN|LC|MF|PM|VC|WS|SM|ST|SA|SN|RS|SC|SL|SG|SX|SK|SI|SB|SO|ZA|GS|SS|LK|SD|SR|SJ|SZ|SE|SY|TW|TJ|TZ|TH|TL|TG|TK|TO|TT|TN|TR|TM|TC|TV|UG|UM|UY|UZ|VU|VA|VE|VN|VG|WI|WF|EH|YE|ZM|ZW|PK|BR|LK|MK|TH|CO|HN|HR|RS|CZ|EC|HT|CM|VE|BD|SG|IR|TR|KE|GA|UG|CA|QA|CN|KR|HU|PL|ID|ZA|VN|HK|IL|IN|AR|BG|RO|TR|MY|MX|NZ|SA|IR|KG|SG)/
score RELAYCOUNTRY_BAD 2.50
Full List of country codes:
https://www.unc.edu/~rowlett/units/codes/country.htm
Re: Block entire Countries by IPs
Hi
i also want to implement now country blocking and this post helps. But allow me still some questions.
1) as the article is a little bit older than the current release of efa. Does the last post from 2018 still apply and is it enough ? Or do i need to load the respectivy plugin ?
2) How to check if it is loaded ? I know -lint will give you correctness but any other way ? Like a log file where the rejections should appear.
3) And did the huge list of domains from maxkmv work ?
Thx
P.S.: at the start of the thread /etc/MailScanner/spam.assassin.prefs.conf was mentioned in but this no longer exist . Correct ? Or is it something which should go now into a new file : /etc/MailScanner/conf.d/spam.assassin.prefs.conf ?
i also want to implement now country blocking and this post helps. But allow me still some questions.
1) as the article is a little bit older than the current release of efa. Does the last post from 2018 still apply and is it enough ? Or do i need to load the respectivy plugin ?
2) How to check if it is loaded ? I know -lint will give you correctness but any other way ? Like a log file where the rejections should appear.
3) And did the huge list of domains from maxkmv work ?
Thx
P.S.: at the start of the thread /etc/MailScanner/spam.assassin.prefs.conf was mentioned in but this no longer exist . Correct ? Or is it something which should go now into a new file : /etc/MailScanner/conf.d/spam.assassin.prefs.conf ?