[Mimedefang] Issues w/ GeoIP2

Tue Mar 11 12:59:02 EDT 2025

On 3/11/25 4:57 PM, Philip Prindeville wrote:
> 
> 
>> On Mar 10, 2025, at 2:01 AM, giovanni--- via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
>>
>> On 3/10/25 7:05 AM, Philip Prindeville via MIMEDefang wrote:
>>> Hi,
>>> I’ve started seeing the following recently:
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: No record found for IP address 167.94.138.174
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: Trace begun at /
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: usr/share/perl5/vendor_perl/GeoIP2/Database/Reader.pm line 88
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: G
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: eoIP2::Database::Reader::_model_for_address('GeoIP2::Database::
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: Reader=HASH(0x557f24549ab8)', 'ASN', 'type_check', 'Regexp=REGE
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: XP(0x557f2b13eba8)', 'is_flat', 1, 'ip', 167.94.138.174) called
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr:  at /usr/share/perl5/vendor_perl/GeoIP2/Database/Reader.pm line
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr:  113
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: GeoIP2::Database::Reader::asn('GeoIP2::Database::Reader=HA
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: SH(0x557f24549ab8)', 'ip', 167.94.138.174) called at /etc/mail/
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: mimedefang-filter line 3068
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main::filter_helo(167.94.138.174, '
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: [167.94.138.174]', 'www.censys.io', 46632, 192.168.8.3, 25, '52
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: A5RhOI1495862') called at /usr/bin/mimedefang.pl line 686
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main:
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: :handle_helook(167.94.138.174, '[167.94.138.174]', 'www.censys.
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: io', 46632, 192.168.8.3, 25, '52A5RhOI1495862') called at /usr/
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: bin/mimedefang.pl line 505
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main::do_main_loop at /usr/bin/mimed
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: efang.pl line 474
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main::main at /usr/bin/mimedefang.pl line 152
>>> Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 1
>>> apologies for the crappy line-wrapping.
>>> I’m not sure why it’s not able to find a record for that.  The CIDR 167.94.138.174/24 is known to be ASN 398324.
>> could you post an extract of /etc/mail/mimedefang-filter around line 3068 ?
>> GeoIP2 code is part of your mimedefang-filter code.
>> Which MIMEDefang version are you running ?
>> Thanks
>>   Giovanni
> 
> 
> I’m running Fedora 41 (LTS), so. 3.6.1 is what ships with that.
> 
> My code looks like:
> 
> …
[...]
> sub filter_helo($$$$$$$) {
>      __enter();
> 
>      my ($hostip, $hostname, $helo, $hostport, $serverip, $serverport, $qid) = @_;
> 
>      if ($serverport == 25) {
> …
> 
>          if (defined $reader2 && $hostip ne '127.0.0.1') {
>              my $asn = $reader2->asn(ip => $hostip);
$reader2->asn() output to STDOUT if it cannot find the ip address,
you should write you code this way instead:

             my $asn;
             eval {
               $asn = $reader2->asn(ip => $hostip);
             };
             if($@) {
               md_syslog("Warning", "Could not find ASN for ip $hostip");
             }


>              if (defined $asn) {
> 		my $num = $asn->autonomous_system_number();
>                  my $org = $asn->autonomous_system_organization();
> 		md_syslog('debug', "helo: AS $num is '$org'”);
> 		if (exists $bad_isp{$org}) {
> 		    md_syslog('debug', "helo: This ISP has been blacklisted”);
> 		    __leave();
> 		    return ('REJECT', "This ISP has been blacklisted”);
> 		}
> 	    }
> 	}
> 
> 
> As for GeoIP2:
> 
> [root at mail mail]# mmdblookup -f /usr/share/GeoIP/GeoLite2-ASN.mmdb -i 167.94.138.174
> 
>    {
>      "autonomous_system_number":        398324 <uint32>
>      "autonomous_system_organization":        "CENSYS-ARIN-01" <utf8_string>
>    }
> 
> [root at mail mail]#
> [root at mail mail]# ls -ltr /usr/share/GeoIP/
> total 76656
> -rw-r--r--. 1 root root  9846544 Mar 11 09:44 GeoLite2-ASN.mmdb
> -rw-r--r--. 1 root root  8828854 Mar 11 09:44 GeoLite2-Country.mmdb
> -rw-r--r--. 1 root root 59816818 Mar 11 09:44 GeoLite2-City.mmdb
> [root at mail mail]#
> 
> 
> 
>>
>>> Has anyone else seen this?
>>> Thanks,
>>> -Philip
>>> _

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20250311/367442cb/attachment.sig>