Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Blacklist IP Wildcard Issue
  FAQ FAQ  Forum Search   Register Register  Login Login

Blacklist IP Wildcard Issue

 Post Reply Post Reply
Author
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Topic: Blacklist IP Wildcard Issue
    Posted: 18 January 2008 at 3:59pm

We had some good mail bounce with an "ip is blacklisted locally message"  I searched the table, and neither the ip nor the Class C was listed.  I finally found that the ClassB was wildcard listed such as:

216.229.0.0 was listed in the table intending to stop the 216.229.0.XXX subnet.  But, instead it blocked the whole class B 216.229.XXX.XXX
 
I remember reading that wildcard "0" was to only be used for class C networks.  But did you know that SFE would behave this way if it encountered XXX.XXX.0.0?
 
Running SFE .768
 
Jeremy
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 18 January 2008 at 5:24pm
jerbo128 (& Roberto)
 
I have confirmed this on SFI build 768.  I added an IP to my BlackList as xx.xxxx.0.0 and then sent mail:
1  ---------   dan@MylocalDomain.com dan@mayremotedomain.com test 1 1/18/2008 5:19:41 PM IP found in MAPS search 521 5.2 The IP used to deliver this message, (xx.xxx.192.128) is Blacklisted. Contact that IP block's admin. SID=4 Clyde
 
I have only changed the domains and the first 2 octets in my post for security.


Edited by Desperado - 18 January 2008 at 5:29pm
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2008 at 10:11am
You are both correct. This is going to be an issue, as we can't change how the ".0"s are handled or we will be interfering with how users have entered the other lists.

What we can do is to introduce the use of CDIR notation in the blacklist, so you will be able to enter for example:
216.229.0.0/16
to block that subnet. We'll have this ready in the next build that will be released shortly (days, not weeks).
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2008 at 10:26am
Roberto,
 
Will you remove support for the xxx.xxx.xxx.0,  or will you leave it in place with the warning as to what can happen?
 
Just trying to get a jumpstart on modifying my web management interface.
 
Jeremy
 
 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2008 at 10:28am
We won't remove/change any existing functionality as we don't want to "break" any procedures and lists you admins may have in place. We're just adding (actually we've added it already and are testing it...) the CDIR functionality.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2008 at 10:43am
What will happen in the case of a 192.168.0.0/24 ?  Do we need to enter it as a 192.168.0.1/24 so that SFE can tell the difference?
 
Will SFE be able to decipher a 192.168.10.80/24  (even though the grammer is bad)?
 
Don't get me wrong, I really like the new idea.  Just curious on functionality....
 
Jeremy
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2008 at 10:50am
With the CDIR, what matters is the subnet mask, so if you enter 192.168.10.0/24 or 192.168.10.88/24 it will still block the entire 192.168.10.x class C, without having to worry on using a .0, .1, or who knows what in the last octet. 
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2008 at 1:52pm
Roberto,
 
This sounds VERY good!  It actually has not yet been an issue for me as I run my own dnsbl but ... The local IP black list comes way before the maps look-up so should be better for the larger ip blocks.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
cytechusa View Drop Down
Newbie
Newbie
Avatar

Joined: 13 January 2008
Location: Hendersonville
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote cytechusa Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2008 at 10:29pm
can we do 201.0.0.0/8??
Diamond
Cytech Computers & internet Sol,
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 21 January 2008 at 2:35pm
Yes, the new beta of SpamFilter that will be released within the next day or so will allow the CDIR notation, and will thus allow you to specify the /8.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
cytechusa View Drop Down
Newbie
Newbie
Avatar

Joined: 13 January 2008
Location: Hendersonville
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote cytechusa Quote  Post ReplyReply Direct Link To This Post Posted: 21 January 2008 at 9:53pm
whats the best way to block ip say 201.0.0.0 would you put someting like 201.1.1.0? or 201.255.255.0?
Diamond
Cytech Computers & internet Sol,
Back to Top
jerbo128 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 March 2006
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote jerbo128 Quote  Post ReplyReply Direct Link To This Post Posted: 21 January 2008 at 9:56pm

201.0.0.0/8 to block the whole class A.

201.0.0.0/24 to block just the class C
 
That's a lot of ips if you are doing the entire Class A...
 
Jeremy

Edited by jerbo128 - 21 January 2008 at 9:58pm
Back to Top
cytechusa View Drop Down
Newbie
Newbie
Avatar

Joined: 13 January 2008
Location: Hendersonville
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote cytechusa Quote  Post ReplyReply Direct Link To This Post Posted: 22 January 2008 at 3:03am
(Sorry if kinda long)
If you see the amount of junk that comes from the 200. range, I guess I'm looking to drop the connections and not even process them,like to bloke most all amsterdam,china. Ect
is the CDIR working in ver 3.5.4.718?
I'm wanting to make sure where I invest in a product, and how it is going to hold up for a number of years, I hate making changes (Customers hate it worse)
It seems to be what I was looking for, I gotta give roberto "Kudo's" on how quickly he responds to emails i have sent to him, was kinda worried at first "No phone support" no contract support, When he told me he doesn't have much need for "Paid" support, I almost fell-over!!! not that I'm lookn to give money away. (more of-an-at-a-boy) Roberto
Anyways, I'm going to be getting the Full 4.0 version so he can feed the family, gonna pop for the Anti-virus plug-in, Currently running Avast! Server, any for-seen issues there?
thanks
Diamond
Diamond
Cytech Computers & internet Sol,
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 22 January 2008 at 8:09am
The CDIR notation is a new feature was introduced to solve a problem reported by Jerbo128 just 4 days ago :-)
Yesterday we released a new pre-release version of SpamFilter v4 that supports it (pre-release versions and betas are usually only available to licensed users). We are able to have such quick turnarounds (bug fixes are often released in less than 24/36 hours) as we are a smaller company and are not limited by inner political and marketing reasons in our business...
For the "holding up a number of years", SpamFilter was first released in Aug 2002, and we hope we'll be around for several more years!

For Avast!, there's no known issues with it nor other solutions. Please note the following however.
By default SpamFilter processes emails in RAM for efficiency. You can use
the following option in the SpamFilter.ini file to change this behavior:

;Set this to 0 to prevent queued emails to be spooled to memory, and force
spooling to disk. While less efficient, spooling to disk helps allow
existing antivirus software to detect and block some infected email files
SpoolQueueFilesToMemory=1

If the temp files are spooled to disk, this allows your antivirus a chance
to catch viruses the files may contain. If this happens, and your AV
deletes the file, SpamFilter is "smart" enough to understand what
happened, and will simply ignore the file and the relative email. However
your AV must be able to keep up with the mail flow, and not all of them
can.
The antivirus plugin for the partner we use, Norman, is fully integrated
in SpamFilter, and will inspect all attachments in emails. We go even as
far as "hacking" the passwords in zip files if they are not longer than 6
digits, so we can catch many of the viruses in password protected zip
files.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 30 January 2008 at 10:55am
>>   SpamFilter was first released in Aug 2002, and we hope we'll be around for several more years!
 
 
You'd better....where would we be without SF ?????
 
I don't normally lick ass, but SF is the best spam filter available....regardless of cost.
 
Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 05 May 2008 at 3:07pm
Is there a guide on how to use the CDIR feature? 
Do we just include the IP block in the IP Filter list (e.g. xxx.yyy.zzz.0/16)?
I don't see mention of it in the official documentation.

This feature is effective as of 4.0.0.772, correct?

And finally, as a registered SF user (since the 1.x days), it has been a real pleasure dealing with Roberto and using a product that the USERS can influence the direction of.

Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 05 May 2008 at 3:10pm
Now if we can only get a feature to add COMMENTS.
I would suggest adding them following a "#"  and having SF ignore remaining text in the line after the #.

I would love to be able to better annotate why filters are added, when I added them, etc.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 05 May 2008 at 6:59pm
Hi Alan,

The CDIR notation was added in v4.0.0.770, but, to be truthful, I do not know when we added the documentation to the manual. Here's the relevant section:

Blacklisted IPs - You can keep a file with additional IPs that you want to blacklist by entering the filename below. If the file does not exist it will be created. The file is reloaded every minute. List individual IP addresses on each line. Use an ending .0 for a Class C wildcard (i.e. 192.12.45.0 to block 192.12.45.1 --> 192.12.45.255). This IP blacklist also supports the use of CDIR notation to specify networks. For example, 192.12.45.0/24 will block the previous Class C of addresses as well. The contents of the file will be loaded in the memo box, allowing you to make changes to the file.

Unfortunately most likely we're still not going to be able to provide support for comments in all the blacklist/whitelist files. The reason is the same for which we do not check for correctness (the most common problems are leading/trailing spaces in the entries). Some customers have dozens of millions of entries in these lists, and checking each line for correctness (and parsing out the comments) would severely hamper performance in these cases. We process these white/black lists in bulk when reading/writing them, without looking at individual entries but rather by managing the raw memory locations that hold the strings as a whole, without applying any parsing for speed.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.094 seconds.