Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - More problems blocking by IP address
  FAQ FAQ  Forum Search   Register Register  Login Login

More problems blocking by IP address

 Post Reply Post Reply
Author
Abel View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Abel Quote  Post ReplyReply Direct Link To This Post Topic: More problems blocking by IP address
    Posted: 14 July 2003 at 7:35pm

Hi Roberto,

I have included the IP 200.218.224.2 in my black list by IP address, but SpamFilter is blocking too, emails from 200.218.224.239. How to avoid this ?

Is it possible to include comments on the black/white lists ?

Thanks,

Abel

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 14 July 2003 at 9:29pm

Abel,

For speed and efficiency, SpamFilter performs substring checks on the black/white lists. For this reason, as you discovered, an entry of

200.218.224.2

will match 200.218.224.2, but also 200.218.224.21, 200.218.224.26, 200.218.224.200, 200.218.224.239 etc. There is currently no plan to change this behavior.

The lists are taken listerally, any content in them is treated as a keyword, thus keywords are not allowed.

Roberto Franceschetti
LogSat Software

Back to Top
abel View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote abel Quote  Post ReplyReply Direct Link To This Post Posted: 15 July 2003 at 9:26pm

Roberto,

Im a little worried about this way of processing the black list in the ip addresses. We can lost important messages because of that and I will be crucified here because of that.

Another thing is that I cant block for example only the class C of 64.0.0.0. Correct me if Im wrong, but SpamFilter will block all the class B of it. And its not good too.

Thanks for your info,

Abel.

 

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2003 at 12:59am

Able,

Do you run a DNS server?  If not, Can you?  What I do, is run my own dnsbl DNS server (just like a "public" Black Hole list).  I have "dnsbl.mags.net" in the SpamFilter.ini file as an entry under the [blacklists] section.  Using this I can block any IP I want or any group of IP's.  Some of my blocks are, in fact, class C's and those really could be in the SpamFilter "Blocked IP's" list but I prefer to use my "private" black hole list and have some automated scripts to add or remove the IP's that I want to block. 

This may method may solve your problem and prevent any crucifixion's from occurring. The DNS server doesn't have to be a "registered" server, as long at the mail server knows how to get to it.  Does this make sense to you or have I only confused you?  I actually started running this way long before I started running SpamFilter because my antivirus Mail Server had a similar issue ... mainly it was very hard to get the exact range of IP's in that server.

If you require more information, have Roberto send you my email address and we can discuss it off the forum.

Regards,

Dan S

Back to Top
abel View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote abel Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2003 at 9:48pm

Hi Dan,

Its really a greate idea to have a blacklist into a local DNS. I will implement this.

Thanks very much,

Abel.

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2003 at 10:58pm

Abel,

Do you know the format for a standard dnsbl DNS server?  It is easy but sometimes people don't realize it is actually a FORWARD zone not reverse.

Just making sure.  If you need any help, just let me know.

Dan

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 5:03pm

Abel,

Have you also tried RegEx's in the IP list?

Example:

In the allowed IP list, (66.181.200.[\d]{2,3}) will ALLOW anything above the .9 host and NOT ALLOW everything else.  If you put the same expression in the Blocked IP list, it will BLOCK all above the .9 host and NOT BLOCK everything below.

This is a very "loose" expression ... an invalid IP won't get detected but there should never be an invalid IP so I didn't bother doing anything fancy.

You can do some very interesting stuff with RegEx's but you can also make very interesting mistakes!

Dan S.

 

Back to Top
abel View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote abel Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 10:08pm

Dan,

Thanks for the tip. I didnt know that.

 

Thanks,

Abel.

Back to Top
abel View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote abel Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2003 at 10:11pm

Dan,

Regex isnt my best shot, but, everytime I see a suggestion from you in the forum I apply it to my spamfilter specially the "from email" regex.

Thanks,

Abel.

Back to Top
Michael Magill View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Michael Magill Quote  Post ReplyReply Direct Link To This Post Posted: 18 July 2003 at 11:07am
I very strongly request that you modify this behavior. We have purchased and are using SpamFilter but it makes me very nervous about continuing to use it. We had assumed that when we enter an IP *only* that IP would be filtered. Using regular expressions seems to me a bad workaround. I would recommend replacing the substring method of searching with the option of the user supplying a subnet mask. 255.255.255.255 or /32 for one IP, /24 for a class C, etc. This would also make it easier to block subnets like /20.

>For speed and efficiency, SpamFilter performs substring checks on the >black/white lists. For this reason, as you discovered, an entry of > >200.218.224.2 > >will match 200.218.224.2, but also 200.218.224.21, 200.218.224.26, >200.218.224.200, 200.218.224.239 etc. There is currently no plan to change >this behavior. > >The lists are taken listerally, any content in them is treated as a keyword, >thus keywords are not allowed.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 18 July 2003 at 6:48pm

Let us think about this for a bit. Since the lists can be a mix of text and IPs, performing substring searches was the simplest, faster way of proceeding. If we are to consider the .0s and make them IP wildcards rather than strings our code optimizations would no longer be valid and performance will be affected. We'll see if there's anything we can do to do this efficiently.

Roberto Franceschetti
LogSat Software

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 19 July 2003 at 10:10am

I reviewd our internal code and the process implemented. We will treat this indeed as a bug, your request is very valid.

We're in the process of adding a few extra features, this fix will be included in the new build wehich should be ready within a few days.

Roberto Franceschetti
LogSat Software

Back to Top
ashley View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote ashley Quote  Post ReplyReply Direct Link To This Post Posted: 28 July 2003 at 4:33pm

Dan,

This is interesting, I didn't realize this could be done. I am interested in getting this setup but haven't been able to get it to work. I have DNS running on two servers but set up the Forward lookup zone: dnsbl.local on the primary. (It should replicate over at some point.) Just to test it I tried blocking my hotmail email so I added a host with the IP 207.68.163.0 and host name of test. (most of my hotmail emails come from several IPs in that block.) Then I added dnsbl.local, true to my spamfilter.ini file. The emails still come through. Could you give some more details on setting that up? Bye the way, I can ping test.dnsbl.local and it comes back with the expected reply: timed out [207.68.163.0]. 

Also, when I enter an address such as 207.68.163.0 in the IP blacklist the message still comes though. Should the syntax be different than that?

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 28 July 2003 at 7:51pm

OK ... if the ip you are trying to block is 12.100.85.178 , you will create a forward lookup UNDER the main zone that lo0ks like the following:

178.85.100.12           3600 A 127.0.0.2

So if your "Parent zone is dnsbl.domain.com, the lookup of 178.85.100.12.dnsbl.domain.com will yield 127.0.0.2

The standard dnsbl uses the reverse IP to do the lookup.

Did that help?

 

Dan S.


 

Back to Top
ashley View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote ashley Quote  Post ReplyReply Direct Link To This Post Posted: 29 July 2003 at 4:50pm

So 178.85.100.12 is the host name which is created in the forward lookup zone and has the IP value of 127.0.0.2. So when a lookup is done on 178.85.10.12.dnsbl.domain.com it resolves to 127.0.0.2. Is that correct?

However I am not able to create hosts with decimals such as 178.85.100.12. I am using windows 2000's DNS server. I would have to create seperate domains and that seems excessive so either I don't understand or I just can't do it with windows.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 29 July 2003 at 5:39pm

Ashely,

You are mostly correct on all acciunts.  The only way to create a record like that using the MS GUI is to create (under the parent domain) a "Domain", then another "Domain" then another "domain" and finaly a host of the final octet.  The GUI will even complain about that but will do it.

So .... really what I do is, have my application write directly to the zone file the line just as I showed in my previous post.  I increment the serial number (only required if you have a secondary that syncs for this) and I then force the zone to "Reload" the zone file.

Yippie for Microsoft!

Dan S.

 

Back to Top
ashley View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote ashley Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2003 at 4:27pm

Well I think I got the dnsbl setup ...except it doesn't work...

07/31/03 16:00:33:822 -- (1528) Connection from: 207.68.163.78  -  Originating country : United States
07/31/03 16:00:34:431 -- (1528) Resolving 207.68.163.78 - sea1-f78.sea1.hotmail.com
07/31/03 16:00:34:431 -- (1528) - Domain is in local blacklist file...
07/31/03 16:00:34:431 -- (1528) RCPT TO: amillard@workaddress.com accepted
07/31/03 16:00:34:697 -- (1528) EMail from ashleymm72@hotmail.com to amillard@workaddress.com was queued. Size: 1 KB
07/31/03 16:00:34:712 -- (2384) Sending email from ashleymm72@hotmail.com to amillard@workaddress.com
07/31/03 16:00:34:791 -- (1528) Disconnect
07/31/03 16:00:34:916 -- (2384) EMail from ashleymm72@hotmail.com to amillard@workaddress.com  was forwarded to 10.1.1.98

This may be related to the other problem I posted about (http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=1541). The strange thing is the other MAPS queries are blocked.

Other details:
- Win2k server
- I put  0.163.68.207 A 127.0.0.2 in my DNS server. The nslookup returns 127.0.0.2 so i think that is setup correctly.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2003 at 4:47pm

Ashley,

I asked LogSat to shoot you my address ... that way I can directly message to you an the dnsbl setup.

Dan

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2003 at 5:21pm

Ashley,

Can you post your actual zone file? Or, at least the "A" record in the zone ... the whole file would be better.

Dan

 

Back to Top
ashley View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote ashley Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2003 at 5:33pm

Here is the zone file for dnsbl.local on my DNS server. If you wish to email me directly my address is ashleymm72@hotmail.com.

;
;  Database file dnsbl.local.dns for dnsbl.local zone.
;      Zone version:  22
;

@                       IN  SOA raven.infopro.local.  admin.infopro.local. (
                         22           ; serial number
                         900          ; refresh
                         600          ; retry
                         86400        ; expire
                         3600       ) ; minimum TTL

;
;  Zone NS records
;

@                       NS raven.infopro.local.

;
;  Zone records
;

0.163.68.207            A 127.0.0.2

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2003 at 5:59pm
Ashley,
 
The record:
0.163.68.207            A 127.0.0.2
Won't work ... I assume you are trying for the whole class C ... Yes?
 
What you need to do is either add the exact IP as follows:
 
63.163.68.207            A 127.0.0.2
 
Where 63 is the "host" part or do something completely unorthodox ... which is what I do and it works:
 
*.163.68.207            A 127.0.0.2
 
Note that not all versions of Bind accept this but MS DNS does.
 
Please try this and let me know.
 
Regards,
Dan
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.