[Mimedefang] Re: Netblock 222

Ian Mitchell trash at aftermagic.com
Tue Oct 11 09:27:31 EDT 2005 

While I can see David squirm when I state this, I just block APNIC at the
kernel through IPTables. The nice thing about IP Tables is that there's
very little overhead, so I'm sure you could likely do that if you were
inclined. Letting Mimedefang site filter based on IP is probably a tad
much CPU for a meager blockade of the email. Now if you were inclined to
site filter with other conditions, that would be different.

Just a thought.

Oh, and no, I don't get legitimate email from APNIC. And since my user
base is very very small, they don't either. Probably not suitable to
siteban an entire region of the world if you have couple of users on your
system. Been thinking about site banning RIPE too, but the problem there
is there's a lot of emails that come from mailing lists that originate in
.co.uk or something similar. ;)

Yes yes, I know, that breaks the RFC. Well, if I wanted viruses from
Chinese hackers, I'd let them in by following the RFC ;)

Incase your curious...

-A INPUT -s 58.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 60.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 59.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 202.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 210.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 218.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 220.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 222.0.0.0/255.0.0.0 -j DROP

No more Asia.

As for the issues with emails coming from the Air Logistics Command,
perhaps you might consider forwarding some logs and whatnot to
www.cert.mil I know they'd be interested in zombie hosts that belong on
the DoD network. Don't expect a reply, but I know those folks would
definately appreciate it.

Thanks,
Ian.

> From: "Damrose, Mark" <mdamrose at elgin.edu>
> Subject: [Mimedefang] Netblock 222
>
> I've been getting a bunch of spam from zombied hosts in the 222.x.x.x
> range.
> Much of it get blocked by spamhaus and other lists, but there's been
> enough
> left that it's noticeable.  Whois says that this netblock is assigned to
> "Air Force Logistics Command".  The senders of the spam vary, but none of
> them are domains that have spf.
>
> Does anybody see any downside to doing something like:
> sub filter_sender($$$$) {
>     my ($sender, $ip, $hostname, $helo) = @_;
>
>     if ( ($ip =~ /^222\./) && ($sender !~ /af\.mil\>?/i) ) {
>         return ('REJECT', 'Not USAF address');
>     }
>
>     return ('CONTINUE', 'OK');
>
> }

More information about the MIMEDefang mailing list