[Mimedefang] 100K SA limit doesn't seem to be enough any more :(

Cormack, Ken Ken.Cormack at yrcw.com
Wed Mar 19 08:53:12 EDT 2008 

Something we've used successfully here, is blocking based on geographic
country of origin, of the IP address of the relay.  Using MaxMind's GeoIP
perl module and database (updated regularly via cron), we block traffic
coming from countries we don't do business with.  Using a whitelist, we can
also allow known/selected IP addresses from countries we otherwise would
block completely.  I've added the code we use for the GeoIP stuff, below -
beware of line-wrap.

You make no mention of whether you do SPF checks.
Also, we've had great success blocking patterns/key-phrases in subject-lines
(search the archives - I've posted that code before.)

Ken

GeoIP lookups in filter_sender... (watch for line-wrap, in this email!)

  # This routine uses Geo::IP to determine the
  # ISO-3166-1 Country Code for the geographic
  # location of an IP address.  It is available
  # from http://www.maxmind.com.  Free monthly
  # database updates can be downloaded via cron, from
  # http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz
  # You can quickly lookup the country-codes and countries by
  # googling for "iso-3166-1".
  # A code of "A1" is an "Anonymous Proxy".
  # A code of "A2" indicates a "Satellite Provider".
  # And I assign "XX" to anything that GeoIP can
  # not locate in it's database.  These codes are
  # not blocked.
  # These are the country codes to block
  @codes = (AD, AE, AF, AG, AI, AL, AM, AN, AO, AR, AS, AT,
            AW, AZ, BA, BB, BD, BF, BG, BH, BI, BJ, BN, BO,
            BR, BS, BT, BW, BY, BZ, CC, CD, CF, CG, CH, CI,
            CK, CL, CM, CN, CO, CR, CS, CU, CY, CZ, DJ, DK,
            DM, DO, DZ, EC, EE, EG, EH, ER, ET, FI, FJ, FK,
            FM, FO, GA, GD, GE, GF, GH, GI, GM, GN, GW, GP,
            GQ, GR, GT, GU, GY, HK, HN, HR, HT, HU, ID, IL,
            IN, IQ, IR, IS, JM, JO, JP, KE, KG, KH, KI, KM,
            KN, KP, KR, KW, KY, KZ, LA, LB, LC, LI, LK, LR,
            LS, LT, LU, LV, LY, MA, MC, MD, MG, MH, MK, ML,
            MM, MN, MO, MP, MQ, MR, MS, MT, MV, MW, MY, MZ,
            NA, NC, NE, NF, NG, NI, NL, NO, NP, NR, NU, NZ,
            OM, PA, PE, PF, PG, PH, PK, PL, PM, PN, PS, PT,
            PW, PY, QA, RO, RU, RW, SA, SB, SC, SD, SG, SH,
            SI, SK, SL, SM, SN, SO, SR, ST, SV, SY, SZ, TC,
            TD, TG, TH, TJ, TK, TL, TM, TN, TO, TR, TT, TV,
            TW, TZ, UA, UG, UY, UZ, VA, VC, VE, VN, VU, WF,
            WS, YE, YT, ZA, ZM, ZW);
  use Geo::IP;
  my $gi = Geo::IP->new ();
  my $c_code = $gi->country_code_by_addr ($ip);
  my $c_name = $gi->country_name_by_addr ($ip);
  my $newIP  = $ip;

  # See if it's a country we block
  if (grep (/$c_code/, @codes) > 0) {
    # check for exceptions in the whitelist
    if (   $whitelist_ip_status
        || $whitelist_sender_status) {
      md_syslog ('info', "$QueueID: GEOIP_EXEMPT: $sender, $ip, $c_code,
$c_name");
    } ## end if ($whitelist_ip_status...
    else {
      # Convert the singular IP address into a Class-C formatted segment.
      $newIP =~ s/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/$1\.$2\.$3\.0\/24/;
      # log and reject
      md_syslog ('info', "$QueueID: GEOIP_REJECT: $ip, $c_code, $c_name");
      return ('REJECT', "This server does not accept mail from $newIP,
$c_code, $c_name");
    } ## end else [ if ($whitelist_ip_status...
  } ## end if (grep (/$c_code/, @codes...
  else {
    if ($c_code eq '') {
      $c_code = 'XX';
      $c_name = 'Not Found';
    }
    # connection is from an allowed country
    md_syslog ('info', "$QueueID: GEOIP_ACCEPT: $ip, $c_code, $c_name");
  } ## end else [ if (grep (/$c_code/, @codes...


-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com] On Behalf Of Simon
Standley
Sent: Wednesday, March 19, 2008 7:57 AM
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] 100K SA limit doesn't seem to be enough any more :(


Guys,

we're seeing a steady increase in the size of HTLM spam here, a great deal
of which is well over the 100K. Since prevailing wisdom is that messages >
100K probably aren't spam, they are omitted form SpamAssassin checks, and
generally get delivered to users.

Sure, I guess I could just keep increasing the size limit until folks stop
complaining, but just a question of where you draw the line? Some of this
stuff is 700K+. 

I'm presently re-educating users re- "we never said we'd block 100% of
anything", but frankly that's a cop-out (and they know it :).

I already block ZEN, XBL, and persistent offender IPs at MTA level, and do
greylisting via grey-milter, which obviously helps a bit.

Does anyone have any suggestions beyond increasing size limit until MTA
starts swearing at me??

Thanks

Mup.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list