Sign in to follow this  
Followers 0
ufo-joe

LINUX IPTABLES cuts my spam by 40-50%

21 posts in this topic

I rent webspace including a mailserver, and I am getting walloped by spam daily. When it got to a hundred a day, I decided to take some drastic action.

The nature of my site is such that I don't expect legitimate emails from non-English speaking countries. Following a 3-month analysis of my spam, I found about 50% of it originated in Asia, South America, and the Former Soviet Union, including Poland and the Czech Republic.

I then started to consruct IPTABLES rules which blocked not only SMTP connections, but any type of connection from large IP blocks in these countries. The decision to block all access was intended to reduce the risk of hacking, which is also prevalent in most of these countries. There was and remains an issue with Asia, because Australia is administered by APNIC, the same registrar which administers China, Japan, etc. but since I get relatively little interest from Australia, I decided it was worth the sacrifice.

I ran into a problem with table space (which is managed by my ISP). Initially I could only employ around 120 rules, but after discussion with my ISP I managed to get that doubled. Because of the limited number of rules, I can't always add new rules when new domains become active spammers, so periodically I have to delete inactive filters to allow me to add active ones. Mu current tables are as follows if anyone wants to use them:

iptables -A INPUT -s 41.196.0.0/16 -j DROP

iptables -A INPUT -s 41.248.0.0/14 -j DROP

iptables -A INPUT -s 58.0.0.0/7 -j DROP

iptables -A INPUT -s 60.0.0.0/7 -j DROP

iptables -A INPUT -s 62.16.0.0/16 -j DROP

iptables -A INPUT -s 62.21.0.0/17 -j DROP

iptables -A INPUT -s 62.24.64.0/18 -j DROP

iptables -A INPUT -s 62.109.0.0/16 -j DROP

iptables -A INPUT -s 62.135.0.0/17 -j DROP

iptables -A INPUT -s 62.148.128.0/19 -j DROP

iptables -A INPUT -s 62.215.0.0/16 -j DROP

iptables -A INPUT -s 69.79.0.0/16 -j DROP

iptables -A INPUT -s 77.40.0.0/15 -j DROP

iptables -A INPUT -s 77.45.0.0/16 -j DROP

iptables -A INPUT -s 77.46.0.0/15 -j DROP

iptables -A INPUT -s 77.50.0.0/15 -j DROP

iptables -A INPUT -s 77.81.0.0/16 -j DROP

iptables -A INPUT -s 77.85.0.0/16 -j DROP

iptables -A INPUT -s 77.91.0.0/18 -j DROP

iptables -A INPUT -s 77.120.0.0/14 -j DROP

iptables -A INPUT -s 77.236.0.0/16 -j DROP

iptables -A INPUT -s 77.241.32.0/20 -j DROP

iptables -A INPUT -s 77.252.0.0/14 -j DROP

iptables -A INPUT -s 78.0.0.0/14 -j DROP

iptables -A INPUT -s 78.36.0.0/14 -j DROP

iptables -A INPUT -s 78.56.0.0/13 -j DROP

iptables -A INPUT -s 78.84.0.0/15 -j DROP

iptables -A INPUT -s 78.102.0.0/15 -j DROP

iptables -A INPUT -s 78.106.0.0/15 -j DROP

iptables -A INPUT -s 78.109.16.0/17 -j DROP

iptables -A INPUT -s 78.131.0.0/16 -j DROP

iptables -A INPUT -s 78.139.0.0/16 -j DROP

iptables -A INPUT -s 78.160.0.0/11 -j DROP

iptables -A INPUT -s 79.112.0.0/13 -j DROP

iptables -A INPUT -s 79.120.0.0/16 -j DROP

iptables -A INPUT -s 79.125.128.0/17 -j DROP

iptables -A INPUT -s 79.139.0.0/16 -j DROP

iptables -A INPUT -s 79.140.128.0/18 -j DROP

iptables -A INPUT -s 79.184.0.0/13 -j DROP

iptables -A INPUT -s 80.48.0.0/13 -j DROP

iptables -A INPUT -s 80.96.188.0/22 -j DROP

iptables -A INPUT -s 80.98.0.0/15 -j DROP

iptables -A INPUT -s 80.128.0.0/11 -j DROP

iptables -A INPUT -s 80.188.0.0/16 -j DROP

iptables -A INPUT -s 80.243.144.0/20 -j DROP

iptables -A INPUT -s 80.252.128.0/19 -j DROP

iptables -A INPUT -s 81.13.0.0/17 -j DROP

iptables -A INPUT -s 81.30.192.0/19 -j DROP

iptables -A INPUT -s 81.88.0.0/16 -j DROP

iptables -A INPUT -s 81.176.0.0/15 -j DROP

iptables -A INPUT -s 81.190.0.0/16 -j DROP

iptables -A INPUT -s 81.192.0.0/16 -j DROP

iptables -A INPUT -s 81.198.0.0/16 -j DROP

iptables -A INPUT -s 81.214.0.0/15 -j DROP

iptables -A INPUT -s 81.222.0.0/16 -j DROP

iptables -A INPUT -s 82.76.0.0/14 -j DROP

iptables -A INPUT -s 82.114.0.0/16 -j DROP

iptables -A INPUT -s 82.119.128.0/19 -j DROP

iptables -A INPUT -s 82.131.128.0/17 -j DROP

iptables -A INPUT -s 82.135.128.0/17 -j DROP

iptables -A INPUT -s 82.138.0.0/18 -j DROP

iptables -A INPUT -s 82.150.160.0/19 -j DROP

iptables -A INPUT -s 82.201.128.0/17 -j DROP

iptables -A INPUT -s 82.204.128.0/17 -j DROP

iptables -A INPUT -s 82.207.0.0/17 -j DROP

iptables -A INPUT -s 83.0.0.0/11 -j DROP

iptables -A INPUT -s 83.103.0.0/16 -j DROP

iptables -A INPUT -s 83.131.0.0/16 -j DROP

iptables -A INPUT -s 83.144.64.0/18 -j DROP

iptables -A INPUT -s 83.145.128.0/18 -j DROP

iptables -A INPUT -s 83.167.0.0/17 -j DROP

iptables -A INPUT -s 83.237.0.0/16 -j DROP

iptables -A INPUT -s 83.238.0.0/15 -j DROP

iptables -A INPUT -s 84.0.0.0/14 -j DROP

iptables -A INPUT -s 84.10.0.0/16 -j DROP

iptables -A INPUT -s 84.32.0.0/16 -j DROP

iptables -A INPUT -s 84.38.0.0/19 -j DROP

iptables -A INPUT -s 84.42.0.0/16 -j DROP

iptables -A INPUT -s 84.47.0.0/16 -j DROP

iptables -A INPUT -s 84.55.0.0/17 -j DROP

iptables -A INPUT -s 84.204.0.0/16 -j DROP

iptables -A INPUT -s 85.14.64.0/18 -j DROP

iptables -A INPUT -s 85.21.0.0/16 -j DROP

iptables -A INPUT -s 85.28.0.0/16 -j DROP

iptables -A INPUT -s 85.30.64.0/18 -j DROP

iptables -A INPUT -s 85.66.0.0/15 -j DROP

iptables -A INPUT -s 85.70.0.0/15 -j DROP

iptables -A INPUT -s 85.72.0.0/14 -j DROP

iptables -A INPUT -s 85.91.128.0/19 -j DROP

iptables -A INPUT -s 85.94.0.0/16 -j DROP

iptables -A INPUT -s 85.96.0.0/12 -j DROP

iptables -A INPUT -s 85.118.64.0/18 -j DROP

iptables -A INPUT -s 85.128.0.0/16 -j DROP

iptables -A INPUT -s 85.130.0.0/17 -j DROP

iptables -A INPUT -s 85.132.0.0/16 -j DROP

iptables -A INPUT -s 85.135.0.0/16 -j DROP

iptables -A INPUT -s 85.140.0.0/14 -j DROP

iptables -A INPUT -s 85.172.0.0/14 -j DROP

iptables -A INPUT -s 85.185.128.0/17 -j DROP

iptables -A INPUT -s 85.186.0.0/15 -j DROP

iptables -A INPUT -s 85.204.0.0/16 -j DROP

iptables -A INPUT -s 85.207.0.0/16 -j DROP

iptables -A INPUT -s 85.216.128.0/17 -j DROP

iptables -A INPUT -s 85.221.128.0/17 -j DROP

iptables -A INPUT -s 85.222.0.0/16 -j DROP

iptables -A INPUT -s 85.248.0.0/15 -j DROP

iptables -A INPUT -s 85.254.0.0/16 -j DROP

iptables -A INPUT -s 85.255.96.0/19 -j DROP

iptables -A INPUT -s 86.34.0.0/15 -j DROP

iptables -A INPUT -s 86.57.128.0/17 -j DROP

iptables -A INPUT -s 86.63.64.0/18 -j DROP

iptables -A INPUT -s 86.96.0.0/14 -j DROP

iptables -A INPUT -s 86.100.0.0/15 -j DROP

iptables -A INPUT -s 86.104.0.0/14 -j DROP

iptables -A INPUT -s 86.110.160.0/19 -j DROP

iptables -A INPUT -s 86.120.0.0/13 -j DROP

iptables -A INPUT -s 87.97.0.0/16 -j DROP

iptables -A INPUT -s 87.103.128.0/17 -j DROP

iptables -A INPUT -s 87.105.0.0/16 -j DROP

iptables -A INPUT -s 87.116.128.0/18 -j DROP

iptables -A INPUT -s 87.117.0.0/18 -j DROP

iptables -A INPUT -s 87.120.0.0/15 -j DROP

iptables -A INPUT -s 87.126.0.0/16 -j DROP

iptables -A INPUT -s 87.128.0.0/10 -j DROP

iptables -A INPUT -s 87.202.0.0/15 -j DROP

iptables -A INPUT -s 87.204.0.0/14 -j DROP

iptables -A INPUT -s 87.224.128.0/17 -j DROP

iptables -A INPUT -s 87.226.0.0/16 -j DROP

iptables -A INPUT -s 87.228.0.0/17 -j DROP

iptables -A INPUT -s 87.230.0.0/16 -j DROP

iptables -A INPUT -s 87.236.0.0/18 -j DROP

iptables -A INPUT -s 87.237.112.0/21 -j DROP

iptables -A INPUT -s 87.241.0.0/16 -j DROP

iptables -A INPUT -s 87.245.128.0/18 -j DROP

iptables -A INPUT -s 87.248.64.0/19 -j DROP

iptables -A INPUT -s 87.248.160.0/19 -j DROP

iptables -A INPUT -s 87.251.0.0/16 -j DROP

iptables -A INPUT -s 88.84.192.0/19 -j DROP

iptables -A INPUT -s 88.100.0.0/14 -j DROP

iptables -A INPUT -s 88.147.128.0/17 -j DROP

iptables -A INPUT -s 88.156.0.0/16 -j DROP

iptables -A INPUT -s 88.199.0.0/16 -j DROP

iptables -A INPUT -s 88.201.0.0/16 -j DROP

iptables -A INPUT -s 88.204.128.0/17 -j DROP

iptables -A INPUT -s 88.205.0.0/16 -j DROP

iptables -A INPUT -s 88.207.0.0/16 -j DROP

iptables -A INPUT -s 88.224.0.0/11 -j DROP

iptables -A INPUT -s 89.20.128.0/19 -j DROP

iptables -A INPUT -s 89.32.0.0/12 -j DROP

iptables -A INPUT -s 89.64.0.0/12 -j DROP

iptables -A INPUT -s 89.102.0.0/15 -j DROP

iptables -A INPUT -s 89.106.0.0/18 -j DROP

iptables -A INPUT -s 89.108.0.0/16 -j DROP

iptables -A INPUT -s 89.109.0.0/18 -j DROP

iptables -A INPUT -s 89.110.0.0/16 -j DROP

iptables -A INPUT -s 89.120.0.0/14 -j DROP

iptables -A INPUT -s 89.132.0.0/14 -j DROP

iptables -A INPUT -s 89.136.0.0/15 -j DROP

iptables -A INPUT -s 89.142.0.0/16 -j DROP

iptables -A INPUT -s 89.147.64.0/18 -j DROP

iptables -A INPUT -s 89.149.0.0/16 -j DROP

iptables -A INPUT -s 89.151.128.0/17 -j DROP

iptables -A INPUT -s 89.160.0.0/11 -j DROP

iptables -A INPUT -s 89.208.0.0/16 -j DROP

iptables -A INPUT -s 89.210.0.0/15 -j DROP

iptables -A INPUT -s 89.212.0.0/16 -j DROP

iptables -A INPUT -s 89.215.0.0/16 -j DROP

iptables -A INPUT -s 89.216.0.0/16 -j DROP

iptables -A INPUT -s 89.218.0.0/15 -j DROP

iptables -A INPUT -s 89.223.0.0/16 -j DROP

iptables -A INPUT -s 89.228.0.0/14 -j DROP

iptables -A INPUT -s 89.248.80.0/20 -j DROP

iptables -A INPUT -s 90.150.0.0/16 -j DROP

iptables -A INPUT -s 90.156.0.0/16 -j DROP

iptables -A INPUT -s 90.188.0.0/15 -j DROP

iptables -A INPUT -s 91.76.0.0/14 -j DROP

iptables -A INPUT -s 91.122.0.0/16 -j DROP

iptables -A INPUT -s 91.124.0.0/16 -j DROP

iptables -A INPUT -s 91.139.0.0/16 -j DROP

iptables -A INPUT -s 91.140.0.0/16 -j DROP

iptables -A INPUT -s 91.144.128.0/18 -j DROP

iptables -A INPUT -s 92.112.0.0/15 -j DROP

iptables -A INPUT -s 116.0.0.0/8 -j DROP

iptables -A INPUT -s 117.0.0.0/13 -j DROP

iptables -A INPUT -s 117.24.0.0/13 -j DROP

iptables -A INPUT -s 117.104.192.0/18 -j DROP

iptables -A INPUT -s 118.68.0.0/14 -j DROP

iptables -A INPUT -s 121.0.0.0/8 -j DROP

iptables -A INPUT -s 122.0.0.0/7 -j DROP

iptables -A INPUT -s 124.0.0.0/7 -j DROP

iptables -A INPUT -s 140.128.0.0/13 -j DROP

iptables -A INPUT -s 148.208.0.0/12 -j DROP

iptables -A INPUT -s 157.157.0.0/16 -j DROP

iptables -A INPUT -s 159.148.0.0/16 -j DROP

iptables -A INPUT -s 168.226.0.0/16 -j DROP

iptables -A INPUT -s 189.0.0.0/8 -j DROP

iptables -A INPUT -s 190.0.0.0/8 -j DROP

iptables -A INPUT -s 194.6.216.0/21 -j DROP

iptables -A INPUT -s 194.67.0.0/16 -j DROP

iptables -A INPUT -s 194.186.0.0/16 -j DROP

iptables -A INPUT -s 194.219.0.0/16 -j DROP

iptables -A INPUT -s 195.2.96.0/19 -j DROP

iptables -A INPUT -s 195.131.0.0/16 -j DROP

iptables -A INPUT -s 195.205.0.0/16 -j DROP

iptables -A INPUT -s 195.222.112.0/20 -j DROP

iptables -A INPUT -s 195.229.0.0/16 -j DROP

iptables -A INPUT -s 196.0.0.0/8 -j DROP

iptables -A INPUT -s 200.0.0.0/6 -j DROP

iptables -A INPUT -s 207.248.0.0/15 -j DROP

iptables -A INPUT -s 210.0.0.0/7 -j DROP

iptables -A INPUT -s 212.12.0.0/19 -j DROP

iptables -A INPUT -s 212.15.0.0/16 -j DROP

iptables -A INPUT -s 212.33.128.0/17 -j DROP

iptables -A INPUT -s 212.71.128.0/18 -j DROP

iptables -A INPUT -s 212.76.0.0/17 -j DROP

iptables -A INPUT -s 212.96.0.0/16 -j DROP

iptables -A INPUT -s 212.128.0.0/9 -j DROP

iptables -A INPUT -s 213.76.0.0/16 -j DROP

iptables -A INPUT -s 213.85.0.0/16 -j DROP

iptables -A INPUT -s 213.91.128.0/17 -j DROP

iptables -A INPUT -s 213.141.128.0/19 -j DROP

iptables -A INPUT -s 213.143.64.0/19 -j DROP

iptables -A INPUT -s 213.163.96.0/19 -j DROP

iptables -A INPUT -s 213.167.32.0/19 -j DROP

iptables -A INPUT -s 213.179.224.0/19 -j DROP

iptables -A INPUT -s 213.197.128.0/16 -j DROP

iptables -A INPUT -s 213.220.192.0/18 -j DROP

iptables -A INPUT -s 217.15.128.0/19 -j DROP

iptables -A INPUT -s 217.20.128.0/18 -j DROP

iptables -A INPUT -s 217.148.192.0/19 -j DROP

iptables -A INPUT -s 217.150.32.0/19 -j DROP

iptables -A INPUT -s 217.164.0.0/15 -j DROP

iptables -A INPUT -s 218.0.0.0/7 -j DROP

iptables -A INPUT -s 220.0.0.0/7 -j DROP

iptables -A INPUT -s 222.0.0.0/8 -j DROP

Share this post


Link to post
Share on other sites

A couple of things I forgot to mention.

A side benefit of this approach is that when a bot which is blocked by the rules attempts to send to my server, it hangs about waiting for a response until a timeout occurs. This has two beneficial effects:

a) it slows down the infected computer, possibly prompting the owner to suspect that there is something wrong and getting it checked.

B) It reduces spam throughput.

The worst offenders (following filtering) are:

1. United States - 32%

2. Germany - 7.5%

3. Russian Federation - 7.5%

4. France - 6.5%

5. United Kingdom - 5%

6. Spain - 4%

7. Israel - 3.2%

8. Poland - 3%

9. Italy - 2.3%

10. Canada - 1.6%

Total 70.6% of received spam.

Share this post


Link to post
Share on other sites
...I then started to consruct IPTABLES rules which blocked not only SMTP connections, but any type of connection from large IP blocks in these countries. ...
Yep, it works - blocked a 203.something query to port 80.
...There was and remains an issue with Asia, because Australia is administered by APNIC, the same registrar which administers China, Japan, etc. but since I get relatively little interest from Australia, ...
Even less now.
... I decided it was worth the sacrifice. ...
Yeah, well, we haven't done much for the old country lately anyway. :D Your server, your rules, glad to hear you have a solution that suits you.

Share this post


Link to post
Share on other sites
I rent webspace including a mailserver, and I am getting walloped by spam daily.

You don't have a "catch-all" email function active, do you?

DT

Share this post


Link to post
Share on other sites

Where do you find information about countries and IP ranges? I would like to build a similar list but with different countries (for example, I should not block Italy as I own an italian site....!)

Share this post


Link to post
Share on other sites

Where do you find information about countries and IP ranges? I would like to build a similar list but with different countries (for example, I should not block Italy as I own an italian site....!)

The work has already been done.

Copying from another thread

News flash! In the SC email account blacklists, JT has swapped out the old "blackholes.us" options (Argentina, Brazil, and Nigeria) for the list at "countries.nerd.dk/more.html."

DT

= which got me to :-

Recently, a zz.countries.nerd.dk zone has been added, enabling you to do a single lookup and find the country of a given IP address - the zz-zone uses ISO 3166 Number codes encoded in the last two octets of the reply, for example a lookup of an IP address in Denmark would give a reply of 127.0.0.208 (208=Denmark), while a US IP would give 127.0.3.72 (3*256+72=840=USA)

240 = http://countries.nerd.dk/isolist.txt

Share this post


Link to post
Share on other sites

I understand very little of your post, anyway I do not need a name server to query but a static list of ranges to feed iptables with, as done in the first post of the thread.

Share this post


Link to post
Share on other sites
I understand very little of your post, anyway I do not need a name server to query but a static list of ranges to feed iptables with, as done in the first post of the thread.

This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....

And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?

Share this post


Link to post
Share on other sites
This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....

And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?

No time right now, but there was recently a thread which included a website to build an .htaccess entry for specific countries. Probably in the Geeks section.

Share this post


Link to post
Share on other sites

Hi David,

You don't have a "catch-all" email function active, do you?

Yes, I do, but that gets relatively little activity. I am active on half-a-dozen mail lists (including one administered by me), and it is mainly on addresses I use for those which I get clobbered.

Cheers,

Joe

Share this post


Link to post
Share on other sites
This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....

Well, I can update it anytime it is needed...

And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?

And could you adsorb the performance impact of doing a geoiplookup everytime you get an ip packet?

The best thing to do would be to do a posteriori geoiplookups on web server or mail server logs, and dynamically blacklist only those blocks that are active sending stuff from the selected area.

For example, I want to block Asia. Once a day I do some geoip on pieces of my mail/web logs and block only those asian blocks that appear active, removing from the blacklist those which wasn't active say in last 6 months. And anytime spamassassin classifies as spam an email coming from an asian address, the parent ip range will be immediately blacklisted.

Share this post


Link to post
Share on other sites

Hi Mythsmith,

Where do you find information about countries and IP ranges? I would like to build a similar list but with different countries (for example, I should not block Italy as I own an italian site....!)

Europe is a particularly difficult area to write filters for. The adminstrative agency is RIPE, and for some reason, the address space allocated by RIPE is very fragmented, often being allocated in small chunks of addresses.

The way I have been managing my filters involves obtaining the sending IP address from the Spamcop reporting output, then entering the address into 'whois' at http://www.domaintools.com. This provides the subnet mask in CDIR form. I thrn check addresses above and below the specified CDIR to see if I can reasonably expand the addresses covered - for instance, it may be an address range in poland that I have reported, but the adjacent addresses might make up a /17 range could be in Romania and Greece, in which case I enlarge the CDIR accordingly. This is because I don't expect traffic from those countries and I get significant amounts of spam from them as well.

If you (or anyone else that wants a copy) send me your email address via PM, I will happily send you copies of my working spreadsheet which contains a lot of information along the lines you require.

Cheers,

Joe

Share this post


Link to post
Share on other sites
This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....

Not only is it not static, but spam traffic periodically disappears and reappears from some ranges. Another reason for occasionally removing ranges from the banned list (most eventually become active again, but not all).

And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?

This is an interesting point - although the server has to validate every packet against the table, it doesn't have to process dropped traffic (portscans, brute-force password attacks, and SMTP, for instance), so there might actually be a reduction in load. It hasn't caused me any problems and I run an active forum, website, and mail list on the server.

Cheersm

Joe

Share this post


Link to post
Share on other sites
No time right now, but there was recently a thread which included a website to build an .htaccess entry for specific countries. Probably in the Geeks section.

Just back from my business trip. The site I was talking about is: http://blockacountry.com/

Share this post


Link to post
Share on other sites

Since I opened this thread, my server has been under what appears to be either a series of DoS attacks, or attempts to discover the active filters.

If this is someone on this forum testing my filters, please desist, I have enough genuine hacking attempts to deal with without the logs filling up with 'tests'. If it was someone on here with benign intentions, please let me know via PM (no action will be taken). I will treat further attacks as hostile following this post.

Cheers,

Joe

Share this post


Link to post
Share on other sites
If this is someone on this forum testing my filters...

Highly unlikely....they would have posted to let you know what they were doing. We simply don't have that kind of people here.

DT

Share this post


Link to post
Share on other sites

I very highly suggest against manual blocking at the firewall level. For one, your list is impossible to maintain -- what happens when somebody fixes their IP address and now wants to send legitimate mail? More to the point, this is exactly why we have DNSBLs. If you use bl.spamcop.net, you're already covered for a large number of botnets and network abusers. I heavily rely upon the DNSBLs from SpamCop, PSBL, Spamhaus Zen, and JunkEmailFilter.

If you're talking about more than just mail, I suggest a temporary banning utility like fail2ban. I can't imagine running ANY server without fail2ban configured and running on it. Fail2ban will note consecutive failed login attempts within a small window of time (default: 10m) from a single IP and will ban that IP (at the firewall level) for another small window of time (default: 10m). This essentially prevents brute-force login attempts (unless they're distributed attacks).

If you want to aggressively block other countries (which I'd call a bad idea -- what if a friend on vacation emails you from a hotel in Hong Kong, China?), there are more elegant ways to do that, too. I find it safer to target specific problematic foreign languages and character sets. SpamAssassin has a plugin called TextCat which allows you to deny mail by language or character set. I have a custom SpamAssassin ruleset that assigns points to abusive IP blocks listed in SenderBase (a sister of SpamCop).

I used to have a custom SA rule that blocked all of APNIC (The Asia/Pacific Network Information Centre, the IP-assigning body for Asia and the Pacific, much like ARIN does for North America), but the spamming paradigm of using open relays (which were at one point quite abundant in Asia) seems to have fallen out of fashion in favor of mail via zombie botnets.

If you want a server-side trick that kills a massive percentage of incoming spam, try greylisting. Greylisting for my company knocks out a full 80+% of the spam without wasting the resources that SpamAssassin and ClamAV would.

Share this post


Link to post
Share on other sites
but the spamming paradigm of using open relays (which were at one point quite abundant in Asia) seems to have fallen out of fashion in favor of mail via zombie botnets.

Depends on your listings I'd suppose. In my case, there seems to be no lack of open proxies available in the .cn part of the world. This is based on the seemingly never-ending stream of attempted spam postings to the newsgroup archives.

Share this post


Link to post
Share on other sites
Depends on your listings I'd suppose. In my case, there seems to be no lack of open proxies available in the .cn part of the world. This is based on the seemingly never-ending stream of attempted spam postings to the newsgroup archives.

Or forums :rolleyes: *sigh*

Though it is amazing when one (even accidently) blocks a "key" IP - where you block that one and the spam postings drop 75%!

It's usually only 48 hours peace, but it is a lovely 48 hours, isn't it? :lol:

Cheers!

Share this post


Link to post
Share on other sites

I think you could, perhaps, add the "white ips range" with a -j ACCEPT rule, and then after -j DENY anything else that tries to reach the port 25 ...

As a rule of the thumb there may be less trusteable hosts than others to fit better on your iptables ;)

Share this post


Link to post
Share on other sites

This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....

And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?

You are right, the performance impact of blocking IP Ranges in a firewall** and router is substantive. The link** is to a whitepaper showing the drop in TCP connections and latency impact with an allow-only US policy. TechGuard makes an in-line appliance to block country ranges and by IP reputation before connections hit your firewall.

**http://www.techguard.com/support/breakingpoint-poliwall-testing/

[edit] link broken

Edited by Farelf

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0