[Mimedefang] Something new for filter_relay()
Cormack, Ken
Ken.Cormack at roadway.com
Thu Aug 4 15:49:28 EDT 2005
Group,
After a lot of logfile analysis and testing, I've recently incorporated the
code below, into filter_relay(), in my mimedefang-filter. It uses a free
perl module calld Geo::IP, available directly from www.maxmind.com (and also
from CPAN).
What Geo::IP does, is map an IP address to a country of origin. Free
monthly database updates, and paid subscriptions to weekly updates, are both
available. The free updates promise 97% accuracy, with the paid updates
promising 99% accuracy.
I spent a lot of time crunching through my logfiles, comparing IP addresses
of inbound connections, to the ultimate disposition of an incoming message.
I found that for over 99% of the connections I looked at, coming from
various countries, those messages were blocked, rejected, quarantined, or
given fairly high SA scores.
Rather than running the full MIMEDefang battery of tests only to ultimately
reject these messages coming from countries with which we have no
business-need or expectations of receiving valid emails, we've decided to
try blocking based on country of origin of the IP address of the connecting
relay. We check for the country code only if the connection is not coming
from one of our own IPs (or those of our parent or other subsidieries), and
as a measure of insurance, have provided a hook into our existing whitelist
function, on the chance that my research missed something in the logs (or
that the database's accuracy claims would bite us on a particular IP
address/segment.)
If anyone wants to comment, I'd like to hear your feedback. If anyone wants
to try this (it's been running great for the past week) be sure to set
MX_RELAY_CHECK=yes in your /etc/sysconfig/mimedefang script (Redhat), or
pass "-r" to mimedefang, at startup.
Ken
sub filter_relay {
my ($hostip, $hostname) = @_;
if (!Relayed_FromMyIPS()) {
#############################
# This routine uses Geo::IP to determine the
# ISO-3166-1 Country Code for the geographic
# location of an IP address. It is available
# from http://www.maxmind.com. Free monthly
# database updates can be downloaded via cron, from
# http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz
#
# A code of "A1" is an "Anonymous Proxy".
# A code of "A2" indicates a "Satellite Provider".
# And I assign "XX" to anything that GeoIP can
# not locate in it's database, just for logging
# purposes.
#############################
# BR, Brazil
# CL, Chile
# CN, China
# HK, Hong Kong
# IN, India
# KR, Korea, Republic of
# MY, Malaysia
# PH, Philippines
# RU, Russian Federation
# SG, Singapore
# SI, Slovenia
# SK, Slovakia
# TW, Taiwan
# UA, Ukraine
# VN, Vietnam
# ZA, South Africa
@codes = (BR,CL,CN,HK,IN,KP,KR,MY,PH,RU,SG,SI,SK,TW,UA,VN,ZA);
my $gi = Geo::IP->new();
my $c_code = $gi->country_code_by_addr($hostip);
my $c_name = $gi->country_name_by_addr($hostip);
my $newIP = $hostip;
# See if it's a country we block
if (grep(/$c_code/, @codes) > 0) {
# check for exceptions in the whitelist
if (whitelist_ip($hostip)) {
md_syslog('info', "GEOIP_EXEMPT: $hostip, $c_code,
$c_name");
} else {
# Convert the singular IP address into a Class-C formatted
segment.
$newIP =~
s/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/$1\.$2\.$3\.0\/24/;
# log and reject
md_syslog('info', "GEOIP_REJECT: $hostip, $c_code,
$c_name");
return("REJECT", "This server does not accept mail from
$newIP, $c_code, $c_name");
}
}
if ($c_code eq "") {
$c_code = "XX";
$c_name = "Not Found";
}
# connection is from an allowed country
md_syslog('info', "GEOIP_ACCEPT: $hostip, $c_code, $c_name");
}
return ('CONTINUE', 'ok');
}
More information about the MIMEDefang
mailing list