Block Single IP or /24 Cidr without blocking the entire country

Questions and answers about how to do stuff
Post Reply
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Block Single IP or /24 Cidr without blocking the entire country

Post by henk »

When you can't block unknown domains with Postfix for whatever reason, but you still want to mark it as spam without blocking the entire country.

(Since plugin Mail::SpamAssassin::Plugin::URILocalBL doesn't work.)

Example: Spam from US based Wowrack.com Net-range: 208.89.208.0 - 208.89.215.255

For some strange reason the spammer(s) are mainly in the 208.89.215.xxx net-range :drool:

Code: Select all

Received: from epharab.loan (unknown [208.89.215.52])
Received: from wasptit.loan (unknown [208.89.215.47])
Received: from nyedumb.loan (unknown [208.89.215.48])
Received: from yikeest.loan (unknown [208.89.215.53])
Received: from hrhmar.loan (unknown [208.89.215.12])
Received: from poemesky.faith (unknown [208.89.210.118]) 
Option. Country block, works fine for countries. See the E.F.A. forum

countrybl.cf - modify Countries :idea:

Code: Select all

ifplugin Mail::SpamAssassin::Plugin::RelayCountry
header   COUNTRY_RELAY_BH X-Relay-Countries =~ /BH/
describe COUNTRY_RELAY_BH Relayed through Bahrain
score    COUNTRY_RELAY_BH 3.5

header   COUNTRY_RELAY_CN X-Relay-Countries =~ /CN/
describe COUNTRY_RELAY_CN Relayed through China
score    COUNTRY_RELAY_CN 6.5
#etc etc

endif # Mail::SpamAssassin::Plugin::RelayCountry
Additional option, thanks to smyers119 Block IPs - modify IP's :idea:

blockip.cf

Code: Select all

header CLASSMATE_NET Received =~ /208\.84\.4[0-7]\.\d{1,3}/
describe CLASSMATE_NET Spam Mail from 208.84.40.0/21
score CLASSMATE_NET 9.0

# or just a /24 range whatever suits your situation
header SPAMMING_IP Received =~ /208\.89\.215\.\d{1,3}/
describe SPAMMING_IP Spam Mail from 208.89.215.0/24
score SPAMMING_IP 6.0
This catches every ip from 208.84.40.0 to 208.84.47.255 and 208.89.215.0 to 208.89.215.255
Just put these 2 files in /etc/mail/spamassassin and restart MailScanner. Use MailScanner --lint to check! :!:

To get the descriptions visible: Reload rule_descriptions thru the Gui.
Last edited by henk on 04 May 2020 07:36, edited 1 time in total.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Block Single IP or /24 Cidr without blocking the entire country

Post by shawniverson »

:clap: :dance: :violin: :text-bravo:
Odon Garma
Posts: 33
Joined: 08 May 2017 14:10

Re: Block Single IP or /24 Cidr without blocking the entire country

Post by Odon Garma »

plugin must be enabled in init.pre?!
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Block Single IP or /24 Cidr without blocking the entire country

Post by henk »

Yes, for the relay country: in

Code: Select all

/etc/mail/spamassassin/init.pre

Code: Select all

# RelayCountry - add metadata for Bayes learning, marking the countries
# a message was relayed through
#
# Note: This requires the Geo::IP Perl module
#
loadplugin Mail::SpamAssassin::Plugin::RelayCountry

# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

# Hashcash - perform hashcash verification.
#
loadplugin Mail::SpamAssassin::Plugin::Hashcash

# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF
To check dependency for installed modules (Geo::IP) : Gui-> Tools and Links-> SpamAssasin Lint (Test)
or exec

Code: Select all

spamassassin --lint --debug 
You should see something like this.

Code: Select all

module installed: Digest::SHA1, version 2.12 		0.00014
module installed: HTML::Parser, version 3.64 		0.00012
module installed: Net::DNS, version 0.65 		0.00011
module installed: NetAddr::IP, version 4.078 		0.00011
module installed: Time::HiRes, version 1.9721 		0.00014
module installed: Archive::Tar, version 1.58 		0.00011
module installed: IO::Zlib, version 1.09 		0.00011
module installed: Digest::SHA1, version 2.12 		0.00012
module installed: MIME::Base64, version 3.08 		0.00011
module installed: DB_File, version 1.835 		0.00011
module installed: Net::SMTP, version 3.08 		0.00011
module installed: Mail::SPF, version v2.009 		0.00011
module installed: Geo::IP, version 1.45 		0.00011
module installed: Net::CIDR::Lite, version 0.21 	0.00014
module installed: Razor2::Client::Agent, version 2.84 	0.00012
module installed: IO::Socket::IP, version 0.37 		0.00011
module installed: IO::Socket::INET6, version 2.72 	0.00011
module installed: IO::Socket::SSL, version 1.31 	0.00011
module installed: Compress::Zlib, version 2.021 	0.00013
module installed: Mail::DKIM, version 0.37 		0.00011
module installed: DBI, version 1.609 			0.00011
module installed: Getopt::Long, version 2.38 		0.00013
module installed: LWP::UserAgent, version 5.833 	0.00013
module installed: HTTP::Date, version 5.831 		0.00011
module installed: Encode::Detect::Detector, version 1.01 	0.00011
module installed: Net::Patricia, version 1.22 		0.00011
module installed: Net::DNS::Nameserver, version 749
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply