Block entire Countries by IPs

Questions and answers about how to do stuff
Post Reply
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Block entire Countries by IPs

Post by northwindit »

Hello everyone,

Just started using this wonderful product in our office and while it is doing great. I would like to ask a few questions that after searching have not found clear answers on how to perform.

1) How would i go about blocking entire IP ranges from countries. I use https://www.countryipblocks.net/country_selection.php
to pull a CIDR list of IPs but how would i go about importing the list into EFA to reject or discard any email from countries i select?

2) Block all subdomains. I've used the /postfix/sender_access to block certain TLD's like .top and .pro
Can i just add things like:
.domain.com to the same list to reject all emails from both that main domain, and all subdomains?

3) Does spamassassin update on its own? Or does a shell command have to be run?

4) i'm noticing a lot of bulk emails (i know bulk emails are not unsolicited spam) however, how can I make the scoring of emails a little more aggressive?

5) How can I add a tag to identified Bulk email? Such as **Bulk**
zohman
Posts: 42
Joined: 12 Sep 2015 07:36

Re: Block entire Countries by IPs

Post by zohman »

northwindit wrote:Hello everyone,

Just started using this wonderful product in our office and while it is doing great. I would like to ask a few questions that after searching have not found clear answers on how to perform.

1) How would i go about blocking entire IP ranges from countries. I use https://www.countryipblocks.net/country_selection.php
to pull a CIDR list of IPs but how would i go about importing the list into EFA to reject or discard any email from countries i select?

2) Block all subdomains. I've used the /postfix/sender_access to block certain TLD's like .top and .pro
Can i just add things like:
.domain.com to the same list to reject all emails from both that main domain, and all subdomains?

3) Does spamassassin update on its own? Or does a shell command have to be run?

4) i'm noticing a lot of bulk emails (i know bulk emails are not unsolicited spam) however, how can I make the scoring of emails a little more aggressive?

5) How can I add a tag to identified Bulk email? Such as **Bulk**
Regarding your Block Countries,
you have the RelayCountry plugin on SpamAssassin that you can use like me.

inside: /etc/MailScanner/spam.assassin.prefs.conf
I put:

Code: Select all

header         RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(RU|CN|KR|KP|IR)/
describe       RELAYCOUNTRY_BAD Relayed through foreign countries
score           RELAYCOUNTRY_BAD 4.5

header         RELAYCOUNTRY_GOOD X-Relay-Countries =~ /^(IL)/
describe       RELAYCOUNTRY_GOOD First trusted relay IPs from Israel :-)
score           RELAYCOUNTRY_GOOD -0.2
so all mails from RU|CN|KR|KP|IR countries considered bad for me,
I'm using postfix postscreen technic so all those countries stopped at the SMTP protocol level,
but if they get past.. well, they get more points on spam to their total score, according to my RegEx rule in spam.assassin.prefs.conf
with the implementation of X-Relay-Countries.
but if they came from Israel where all my mail servers traffic come from or go to
i'll lower their score a little.

I don't think that in any case you should use restricted on countries, but you have the option.
check: https://wiki.apache.org/spamassassin/RelayCountryPlugin

Regards,
Zohman.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Block entire Countries by IPs

Post by ovizii »

any idea how to debug the RelayCountry plugin?

I have added a rule just for testing:

Code: Select all

header          RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(CN|RU|DE)/
describe        RELAYCOUNTRY_BAD Testing country relay plugin
score           RELAYCOUNTRY_BAD 0.1
The plugin is activated:

Code: Select all

loadplugin Mail::SpamAssassin::Plugin::RelayCountry
# always show relaying countries in header
add_header all X-Relay-Countries _RELAYCOUNTRY_
yet no headers at all have been added to any incoming emails nor has any email hit the filter even though I did send a few emails from a German test server which should have scored the 0.1 score :-/

Code: Select all

spamassassin --lint
shows no error at all

###edit###
Finally an email hit the fitler:

Code: Select all

0.10	RELAYCOUNTRY_BAD 
but it didn't have the header added :-/

P.S. How can I check whether the RelayCountry plugin is using GEO::IP or IP::Country::Fast? (The reason I am asking as both are installed and the filter doesn't hit with every IP from my test countries.)
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Block entire Countries by IPs

Post by shawniverson »

Do you have these symlinks present and are they valid?

/usr/share/GeoIP

Code: Select all

lrwxrwxrwx 1 root root       18 May 24  2015 GeoIP.dat -> GeoLiteCountry.dat
lrwxrwxrwx 1 root root       40 Mar 19 08:52 GeoLiteCountry.dat -> /var/www/html/mailscanner/temp/GeoIP.dat
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Block entire Countries by IPs

Post by ovizii »

Looks good:

Code: Select all

 ls -al /usr/share/GeoIP
total 48248
drwxr-xr-x.   3 root root     4096 Jul  1 14:16 .
drwxr-xr-x. 101 root root     4096 Jun  4 07:48 ..
drwxr-xr-x    2 root root     4096 Apr 13  2015 download
lrwxrwxrwx.   1 root root       16 Mar 19 17:30 GeoIPASNum.dat -> GeoLiteASNum.dat
-rw-r--r--.   1 root root  4814990 Dec 11  2015 GeoIPASNumv6.dat
lrwxrwxrwx.   1 root root       15 Mar 19 17:30 GeoIPCity.dat -> GeoLiteCity.dat
lrwxrwxrwx.   1 root root       17 Mar 19 17:30 GeoIPCityv6.dat -> GeoLiteCityv6.dat
lrwxrwxrwx.   1 root root       18 Mar 19 17:31 GeoIP.dat -> GeoLiteCountry.dat
-rw-r--r--.   1 root root  1532813 Dec 11  2015 GeoIPv6.dat
-rw-r--r--.   1 root root  4021810 Dec 11  2015 GeoLiteASNum.dat
lrwxrwxrwx.   1 root root       16 Mar 19 17:30 GeoLiteASNumv6.dat -> GeoIPASNumv6.dat
-rw-r--r--.   1 root root 19148749 Dec 11  2015 GeoLiteCity.dat
-rw-r--r--.   1 root root 19867028 Dec 11  2015 GeoLiteCityv6.dat
lrwxrwxrwx.   1 root root       40 Mar 19 17:41 GeoLiteCountry.dat -> /var/www/html/mailscanner/temp/GeoIP.dat

Code: Select all

ls -al /var/www/html/mailscanner/temp/GeoIP.dat
-rw-r--r-- 1 apache apache 890597 Jun 27 08:40 /var/www/html/mailscanner/temp/GeoIP.dat
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Block entire Countries by IPs

Post by ovizii »

hm, it started working with some meta rules:

Code: Select all

# if BAYES 99 or 999 and relayed through bad country then amplify
header          __RELAYCOUNTRY_BAD              X-Relay-Countries =~ /^(CN|RU|SU|TW|MD|JP|BR|US)/
meta            _jacob_BAD_COUNTRY_PENALTY      (__RELAYCOUNTRY_BAD && (BAYES_99 || BAYES_999))
describe        _jacob_BAD_COUNTRY_PENALTY      Relayed through dodgy countries at some point and BAYES SPAM
score           _jacob_BAD_COUNTRY_PENALTY      1.5

# if BAYES 00 or WL and relayed through good country then lower score
header          __RELAYCOUNTRY_GOOD             X-Relay-Countries =~ /^(ZA|DE|BR)/
meta            _jacob_GOOD_COUNTRY_BONUS       (__RELAYCOUNTRY_GOOD && (BAYES_00 || BAYES_WL))
describe        _jacob_GOOD_COUNTRY_BONUS       Relayed through a good country and BAYES HAM
score           _jacob_GOOD_COUNTRY_BONUS       -1.00
although the header still seems to not be added.
MooreSys
Posts: 6
Joined: 08 Apr 2018 02:43

Re: Block entire Countries by IPs

Post by MooreSys »

Were did you add these rules? Were is the file?
maxkmv
Posts: 52
Joined: 28 Apr 2015 14:40

Re: Block entire Countries by IPs

Post by maxkmv »

This will add extra 2.50 score to emails sent from those countries:

To this file:
/etc/mail/spamassassin/local.cf

header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(NE|NG|AF|AX|AL|DZ|AS|AD|AO|AI|AG|AW|BS|BH|BB|BZ|BJ|BT|BO|BQ|BA|BW|BV|IO|BN|BF|BI|KH|CM|CV|KY|CF|CL|TD|CX|CC|CO|KM|CG|CD|CK|CI|CR|HR|CU|CW|DK|DJ|DM|DO|EC|EG|SV|GQ|EG|ER|EE|ET|FO|FK|FJ|GF|PF|TF|GM|GE|GI|GH|GI|GR|GL|GD|GP|GU|GT|GG|GN|GW|GY|HT|HM|HN|HK|IS|IN|IQ|IM|IL|JM|JP|JE|JO|KE|KI|KP|KR|KW|KG|LA|LV|LB|LS|LR|LY|LI|LT|LU|MO|MK|MG|MW|MY|MV|ML|MT|MH|MQ|MR|MU|YT|FM|MD|MC|MN|ME|MS|MA|MZ|MM|NA|NR|NP|AN|NC|NZ|NI|NU|NF|NO|NP|OM|PW|PS|PA|PG|PY|PE|PH|PN|PL|PT|PR|QA|RE|RO|RW|BL|SH|KN|LC|MF|PM|VC|WS|SM|ST|SA|SN|RS|SC|SL|SG|SX|SK|SI|SB|SO|ZA|GS|SS|LK|SD|SR|SJ|SZ|SE|SY|TW|TJ|TZ|TH|TL|TG|TK|TO|TT|TN|TR|TM|TC|TV|UG|UM|UY|UZ|VU|VA|VE|VN|VG|WI|WF|EH|YE|ZM|ZW|PK|BR|LK|MK|TH|CO|HN|HR|RS|CZ|EC|HT|CM|VE|BD|SG|IR|TR|KE|GA|UG|CA|QA|CN|KR|HU|PL|ID|ZA|VN|HK|IL|IN|AR|BG|RO|TR|MY|MX|NZ|SA|IR|KG|SG)/
score RELAYCOUNTRY_BAD 2.50

Full List of country codes:
https://www.unc.edu/~rowlett/units/codes/country.htm
Post Reply