[Mimedefang] Netblock 222

Jan Pieter Cornet johnpc at xs4all.nl
Mon Oct 10 16:10:40 EDT 2005 

On Mon, Oct 10, 2005 at 11:52:54AM -0500, Damrose, Mark wrote:
> I've been getting a bunch of spam from zombied hosts in the 222.x.x.x range.
> Much of it get blocked by spamhaus and other lists, but there's been enough
> left that it's noticeable.  Whois says that this netblock is assigned to
> "Air Force Logistics Command".  The senders of the spam vary, but none of
> them are domains that have spf.

The 222/8 "netblock" is assigned to APNIC, the Asian Pacific region,
where it is distributed further to individual ISPs or customers. You can
verify this from: http://www.iana.org/assignments/ipv4-address-space

whois.apnic.net contains further information on the distributing, eg,
222.0.0.0 - 222.15.255.255 is allocated to a "KDDI Corporation" in Tokia,
Japan. The next block, 222.16.0.0/21 is allocated to a university in
china. I couldn't find any af.mil networks, offhand.

So if you block this entire network, you're blocking a pretty large
amount of addresses in the asian pacific region... but likely only
the most recently allocated ones. If you want to be complete, go over
the ipv4-address-space I mentioned above and lookup all netblocks
belonging to APNIC.

However, it does seem excessive to me... simply blocking about a
third of the world (remember australia is also in that area).
You might be better off using a country-specific blocking list
such as cn.rbl.cluecentral.net, kr.rbl.cluecentral.net etc, and
leaving your "postmaster" and/or "abuse" address explicitly open
in case someone does need to contact you from those areas.

> Does anybody see any downside to doing something like:
> sub filter_sender($$$$) {
>     my ($sender, $ip, $hostname, $helo) = @_;
> 
>     if ( ($ip =~ /^222\./) && ($sender !~ /af\.mil\>?/i) ) {
>         return ('REJECT', 'Not USAF address');
>     }
> 
>     return ('CONTINUE', 'OK');
> 
> }

You mean apart from the fact that it's very easy to spoof, too generic
of a blocking method, that the af.mil exception likely has nothing to do
with the 222/8 netblock, and that the exception isn't strict enough (it
would match mail from <decaf.milk.sugar at example.com>)? 

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet

More information about the MIMEDefang mailing list