Block Single IP or /24 Cidr without blocking the entire country

Questions and answers about how to do stuff
Post Reply
henk
Posts: 181
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Block Single IP or /24 Cidr without blocking the entire country

Post by henk » 05 Sep 2017 12:42

When you can't block unknown domains with Postfix for whatever reason, but you still want to mark it as spam without blocking the entire country.

(Since plugin Mail::SpamAssassin::Plugin::URILocalBL doesn't work.)

Example: Spam from US based Wowrack.com Net-range: 208.89.208.0 - 208.89.215.255

For some strange reason the spammer(s) are mainly in the 208.89.215.xxx net-range :drool:

Code: Select all

Received: from epharab.loan (unknown [208.89.215.52])
Received: from wasptit.loan (unknown [208.89.215.47])
Received: from nyedumb.loan (unknown [208.89.215.48])
Received: from yikeest.loan (unknown [208.89.215.53])
Received: from hrhmar.loan (unknown [208.89.215.12])
Received: from poemesky.faith (unknown [208.89.210.118]) 
Option. Country block, works fine for countries. See the E.F.A. forum

countrybl.cf - modify Countries :idea:

Code: Select all

ifplugin Mail::SpamAssassin::Plugin::RelayCountry
header   RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(VN|CN|RU|RO|CZ|JP|UA|IN|HK|TW|BH|KR|KP|PK)/
describe RELAYCOUNTRY_BAD Relayed through suspect countries at some point
score    RELAYCOUNTRY_BAD 8.0
endif # Mail::SpamAssassin::Plugin::RelayCountry
Additional option. Block Single IP or /24 Cidr - modify IP's :idea:

blockip.cf

Code: Select all

header SPAMMING_IP Received =~ /(208\.89\.210\.118|208\.89\.215\.)/
describe SPAMMING_IP Spam Mail from 208.89.210.118 and 208.89.215/24
score SPAMMING_IP 9.0
Just put these 2 files in /etc/mail/spamassassin and restart MailScanner. Use MailScanner --lint to check! :!:

To get the descriptions visible: Reload rule_descriptions thru the Gui.

User avatar
shawniverson
Posts: 2610
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Block Single IP or /24 Cidr without blocking the entire country

Post by shawniverson » 07 Sep 2017 22:39

:clap: :dance: :violin: :text-bravo:
Version 3.0.2.6 released! Update now to keep your eFa secure!

Odon Garma
Posts: 21
Joined: 08 May 2017 14:10

Re: Block Single IP or /24 Cidr without blocking the entire country

Post by Odon Garma » 07 Nov 2018 09:56

plugin must be enabled in init.pre?!

henk
Posts: 181
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Block Single IP or /24 Cidr without blocking the entire country

Post by henk » 07 Nov 2018 10:59

Yes, for the relay country: in

Code: Select all

/etc/mail/spamassassin/init.pre

Code: Select all

# RelayCountry - add metadata for Bayes learning, marking the countries
# a message was relayed through
#
# Note: This requires the Geo::IP Perl module
#
loadplugin Mail::SpamAssassin::Plugin::RelayCountry

# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

# Hashcash - perform hashcash verification.
#
loadplugin Mail::SpamAssassin::Plugin::Hashcash

# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF
To check dependency for installed modules (Geo::IP) : Gui-> Tools and Links-> SpamAssasin Lint (Test)
or exec

Code: Select all

spamassassin --lint --debug 
You should see something like this.

Code: Select all

module installed: Digest::SHA1, version 2.12 		0.00014
module installed: HTML::Parser, version 3.64 		0.00012
module installed: Net::DNS, version 0.65 		0.00011
module installed: NetAddr::IP, version 4.078 		0.00011
module installed: Time::HiRes, version 1.9721 		0.00014
module installed: Archive::Tar, version 1.58 		0.00011
module installed: IO::Zlib, version 1.09 		0.00011
module installed: Digest::SHA1, version 2.12 		0.00012
module installed: MIME::Base64, version 3.08 		0.00011
module installed: DB_File, version 1.835 		0.00011
module installed: Net::SMTP, version 3.08 		0.00011
module installed: Mail::SPF, version v2.009 		0.00011
module installed: Geo::IP, version 1.45 		0.00011
module installed: Net::CIDR::Lite, version 0.21 	0.00014
module installed: Razor2::Client::Agent, version 2.84 	0.00012
module installed: IO::Socket::IP, version 0.37 		0.00011
module installed: IO::Socket::INET6, version 2.72 	0.00011
module installed: IO::Socket::SSL, version 1.31 	0.00011
module installed: Compress::Zlib, version 2.021 	0.00013
module installed: Mail::DKIM, version 0.37 		0.00011
module installed: DBI, version 1.609 			0.00011
module installed: Getopt::Long, version 2.38 		0.00013
module installed: LWP::UserAgent, version 5.833 	0.00013
module installed: HTTP::Date, version 5.831 		0.00011
module installed: Encode::Detect::Detector, version 1.01 	0.00011
module installed: Net::Patricia, version 1.22 		0.00011
module installed: Net::DNS::Nameserver, version 749

Post Reply