[Mimedefang] Issues w/ GeoIP2
giovanni at paclan.it
giovanni at paclan.it
Tue Mar 11 12:59:02 EDT 2025
On 3/11/25 4:57 PM, Philip Prindeville wrote:
>
>
>> On Mar 10, 2025, at 2:01 AM, giovanni--- via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
>>
>> On 3/10/25 7:05 AM, Philip Prindeville via MIMEDefang wrote:
>>> Hi,
>>> I’ve started seeing the following recently:
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: No record found for IP address 167.94.138.174
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: Trace begun at /
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: usr/share/perl5/vendor_perl/GeoIP2/Database/Reader.pm line 88
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: G
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: eoIP2::Database::Reader::_model_for_address('GeoIP2::Database::
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: Reader=HASH(0x557f24549ab8)', 'ASN', 'type_check', 'Regexp=REGE
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: XP(0x557f2b13eba8)', 'is_flat', 1, 'ip', 167.94.138.174) called
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: at /usr/share/perl5/vendor_perl/GeoIP2/Database/Reader.pm line
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 113
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: GeoIP2::Database::Reader::asn('GeoIP2::Database::Reader=HA
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: SH(0x557f24549ab8)', 'ip', 167.94.138.174) called at /etc/mail/
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: mimedefang-filter line 3068
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main::filter_helo(167.94.138.174, '
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: [167.94.138.174]', 'www.censys.io', 46632, 192.168.8.3, 25, '52
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: A5RhOI1495862') called at /usr/bin/mimedefang.pl line 686
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main:
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: :handle_helook(167.94.138.174, '[167.94.138.174]', 'www.censys.
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: io', 46632, 192.168.8.3, 25, '52A5RhOI1495862') called at /usr/
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: bin/mimedefang.pl line 505
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main::do_main_loop at /usr/bin/mimed
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: efang.pl line 474
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main::main at /usr/bin/mimedefang.pl line 152
>>> Mar 9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 1
>>> apologies for the crappy line-wrapping.
>>> I’m not sure why it’s not able to find a record for that. The CIDR 167.94.138.174/24 is known to be ASN 398324.
>> could you post an extract of /etc/mail/mimedefang-filter around line 3068 ?
>> GeoIP2 code is part of your mimedefang-filter code.
>> Which MIMEDefang version are you running ?
>> Thanks
>> Giovanni
>
>
> I’m running Fedora 41 (LTS), so. 3.6.1 is what ships with that.
>
> My code looks like:
>
> …
[...]
> sub filter_helo($$$$$$$) {
> __enter();
>
> my ($hostip, $hostname, $helo, $hostport, $serverip, $serverport, $qid) = @_;
>
> if ($serverport == 25) {
> …
>
> if (defined $reader2 && $hostip ne '127.0.0.1') {
> my $asn = $reader2->asn(ip => $hostip);
$reader2->asn() output to STDOUT if it cannot find the ip address,
you should write you code this way instead:
my $asn;
eval {
$asn = $reader2->asn(ip => $hostip);
};
if($@) {
md_syslog("Warning", "Could not find ASN for ip $hostip");
}
> if (defined $asn) {
> my $num = $asn->autonomous_system_number();
> my $org = $asn->autonomous_system_organization();
> md_syslog('debug', "helo: AS $num is '$org'”);
> if (exists $bad_isp{$org}) {
> md_syslog('debug', "helo: This ISP has been blacklisted”);
> __leave();
> return ('REJECT', "This ISP has been blacklisted”);
> }
> }
> }
>
>
> As for GeoIP2:
>
> [root at mail mail]# mmdblookup -f /usr/share/GeoIP/GeoLite2-ASN.mmdb -i 167.94.138.174
>
> {
> "autonomous_system_number": 398324 <uint32>
> "autonomous_system_organization": "CENSYS-ARIN-01" <utf8_string>
> }
>
> [root at mail mail]#
> [root at mail mail]# ls -ltr /usr/share/GeoIP/
> total 76656
> -rw-r--r--. 1 root root 9846544 Mar 11 09:44 GeoLite2-ASN.mmdb
> -rw-r--r--. 1 root root 8828854 Mar 11 09:44 GeoLite2-Country.mmdb
> -rw-r--r--. 1 root root 59816818 Mar 11 09:44 GeoLite2-City.mmdb
> [root at mail mail]#
>
>
>
>>
>>> Has anyone else seen this?
>>> Thanks,
>>> -Philip
>>> _
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20250311/367442cb/attachment.sig>
More information about the MIMEDefang
mailing list