IP Blacklisting

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

IP Blacklisting

Moein Sarvi
Hello
is there anyway to blacklist an IP address?
Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Karsten Bräckelmann-2
On Fri, 2013-07-12 at 05:14 +0430, Moein Sarvi wrote:
> Hello
> is there anyway to blacklist an IP address?

Yes. Step 1: Create your own blacklist. Step 2: Report the IP. Optional
step 3: Create rules in SA to query your blacklist created in step 1. Of
course, I am merely assuming here you are actually asking something
relevant to SA...

Joking apart, your question is *really* vague. In cases like this, it is
a lot better to describe your actual problem, rather than asking
something this broad. You still can add the missing info, and tell us
about your problem.


Bunch-o-pointers regarding "blacklisting" an IP address:

SA does not reject, quarantine, drop or deliver mail. All it does is
scoring. Thus, in case your "blacklisting" query involves these, you'd
better check back with your SA calling layer.

If you definitely are about rejecting mail from a given IP, you'd want
to look at your MX STMP configuration.

If you are happy to "severely punish" mail sent from a given IP, without
a need to reject the mail, SA can do what you want. Punishment ranges
from scoring, classifying as spam, all the way up to quarantining and
simply dropping down the bin bucket -- the latter two depending on the
following tools in your mail-processing chain.

Flooring mail in SA sent via a given IP (aka blacklisting) is possible
in various ways, depending on your needs, configuration, accuracy of
your configuration (like receiving mail via mailing lists) -- and of
course your knowledge of mail headers, SA rules, SA pseudo headers, and
RE in general. But I digress...

Likely candidates are the X-Spam-Relays-* Untrusted and External pseudo
headers. But that could be done more efficiently in your SMTP, if you
mean *black* as a pseudonym of *block*.

And if you really dislike the IP, you could als craft some simple
Received header rules in SA. Though at this point, we're crossing the
line between blacklist and blacklist. And deep header parsing.


Where did I start off again? Oh, right -- what exactly is the problem
you're facing and the result you want to achieve?


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Simon Loewenthal-3

On 2013-07-12 9:02, Karsten Bräckelmann wrote:

On Fri, 2013-07-12 at 05:14 +0430, Moein Sarvi wrote:
Hello is there anyway to blacklist an IP address?
Yes. Step 1: Create your own blacklist. Step 2: Report the IP. Optional
step 3: Create rules in SA to query your blacklist created in step 1. Of
course, I am merely assuming here you are actually asking something
relevant to SA...

Joking apart, your question is *really* vague. In cases like this, it is
a lot better to describe your actual problem, rather than asking
something this broad. You still can add the missing info, and tell us
about your problem.


Bunch-o-pointers regarding "blacklisting" an IP address:

SA does not reject, quarantine, drop or deliver mail. All it does is
scoring. Thus, in case your "blacklisting" query involves these, you'd
better check back with your SA calling layer.

If you definitely are about rejecting mail from a given IP, you'd want
to look at your MX STMP configuration.

If you are happy to "severely punish" mail sent from a given IP, without
a need to reject the mail, SA can do what you want. Punishment ranges
from scoring, classifying as spam, all the way up to quarantining and
simply dropping down the bin bucket -- the latter two depending on the
following tools in your mail-processing chain.

Flooring mail in SA sent via a given IP (aka blacklisting) is possible
in various ways, depending on your needs, configuration, accuracy of
your configuration (like receiving mail via mailing lists) -- and of
course your knowledge of mail headers, SA rules, SA pseudo headers, and
RE in general. But I digress...

Likely candidates are the X-Spam-Relays-* Untrusted and External pseudo
headers. But that could be done more efficiently in your SMTP, if you
mean *black* as a pseudonym of *block*.

And if you really dislike the IP, you could als craft some simple
Received header rules in SA. Though at this point, we're crossing the
line between blacklist and blacklist. And deep header parsing.


Where did I start off again? Oh, right -- what exactly is the problem
you're facing and the result you want to achieve?

Hi,

Perhaps:

header BLACKLIST_IP Received=~ /\[IPaddress\]/
score BLACKLIST_IP 100
describe BLACKLIST_IP Disallow from IP address

 

If you use Postfix for your MTA, then drop into your header_checks file

/^Received: from IPaddress/ REJECT Bye bye to your IP address

and then and add into the main.cf

header_checks = pcre:/etc/postfix/header_checks

Completely untested and not really thought about, of course. I suspect my regexes are broken, but this gives you an idea.

 

 

-- 
"I decided that I was a lemon for a couple of weeks. I kept myself amused all that time jumping in and out of a gin and tonic." simon@klunky .co.uk / .org
Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Moein Sarvi
I want to use a mechanism that can be done by shell programming to add remove daily IP address automatically
my goal is  reject some IP addresses and rise up score of some other IP sometimes as well.
Axb
Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Axb
On 07/12/2013 01:43 PM, Moein Sarvi wrote:
> I want to use a mechanism that can be done by shell programming to add
> remove daily IP address automatically
> my goal is  reject some IP addresses and rise up score of some other IP
> sometimes as well.
>

Google for rbldnsd - this is outside of SA's scope.
Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Karsten Bräckelmann-2
In reply to this post by Karsten Bräckelmann-2
On Fri, 2013-07-12 at 13:22 +0430, Moein Sarvi wrote:
> First of all thanks for your great answer,

Please DO KEEP the thread on-list, and ONLY follow-up privately if you
really mean to. I am not the only one who can answer your questions.

> I wanna know both situation, I mean rejecting an IP address in the
> recieve step and sometimes punish some IP address and rise it's score,

I suggest to carefully re-read my post.

As I clearly mentioned, rejecting at the SMTP stage is outside the scope
of SA, and actually is a layer earlier. Generally it seems most of your
questions could already be answered by googling and reading some
documentation.

As for the SA part and "punishing" (aka scoring) based on sender IP
address, I mentioned some likely candidates for rule writing. However,
the best solution depends -- which brings me to the next part I can only
reiterate from my previous post:

What exactly is the problem you're facing and the result you want to
achieve?


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Benny Pedersen-2
In reply to this post by Moein Sarvi
Moein Sarvi skrev den 2013-07-12 02:44:

> is there anyway to blacklist an IP address?

nope, spamassassin does not block, if you want ip blocked do in mta
stage

all spamassassin can do is to score and add headers
Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Benny Pedersen-2
In reply to this post by Simon Loewenthal-3
Simon Loewenthal skrev den 2013-07-12 12:11:

> If you use Postfix for your MTA, then drop into your_ header_checks_
> file

or better make a cidr map file:

# cat cidr.map
192.168.1.0/24 REJECT
127.0.0.0/8 DUNNO

# in main.cf
smtpd_client_restrictions=
  ...
  check_client_access cidr:/path/to/cidr.map
  ...

note spaces in main.cf

depending on header_checks is next best option
Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Benny Pedersen-2
In reply to this post by Moein Sarvi
Moein Sarvi skrev den 2013-07-12 13:43:
> I want to use a mechanism that can be done by shell programming to
> add remove daily IP address automatically
>  my goal is  reject some IP addresses and rise up score of some other
> IP sometimes as well.

make shell scripts that maintain sql ip blacklists, then use that sql
table with regulary sql maps in postfix, saves rebuild reload maps when
its setup
Reply | Threaded
Open this post in threaded view
|

Re: IP Blacklisting

Benny Pedersen-2
In reply to this post by Axb
Axb skrev den 2013-07-12 13:48:

> Google for rbldnsd - this is outside of SA's scope.

if users begin googleing maybe some finds this one:

http://mail-archives.apache.org/mod_mbox/spamassassin-users/201103.mbox/%3Calpine.DEB.2.00.1103141313230.2436@...%3E