LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Is is possible to use wildcards in the HoneypotBlockedIPs text file??  I have written a script that scans the previous days log file at 1 AM, looking for any addresses that doen't exist on our network.  It then tallys those in it's own flat file database.  If a non-existant address has three attempts in three days then that email address is added to the honeypot list.  Due to this my HoneypotBlockedIPs has grown very large.  I'm not experiencing any performance issues, and I reguarlary pick out IP's to make sure spammer IP's are the only ones in the list....however I can see trends where many ranges could be blocked which would help keep the list much shorter.
The other option I thought about would be to take those ranges out of the HoneypotBlockedIPs list and add them to the Blacklisted IP's list.  According to the documentation, you can add a class C range by ending the IP in .0, for example 192.12.45.0 would block that whole class C range.  In this case, my question would be....can you block a class B or class A range the same....for example, blocking the class B range I'd type 192.12.0.0??
Thanks in advance for your help!!

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
raregtp Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 October 2006 Status: Offline Points: 8	Post Options Post Reply Quote raregtp Report Post Thanks(0) Quote Reply Topic: Wildcards in HoneypotBlockedIPs??? Posted: 11 October 2006 at 10:41am
	Is is possible to use wildcards in the HoneypotBlockedIPs text file?? I have written a script that scans the previous days log file at 1 AM, looking for any addresses that doen't exist on our network. It then tallys those in it's own flat file database. If a non-existant address has three attempts in three days then that email address is added to the honeypot list. Due to this my HoneypotBlockedIPs has grown very large. I'm not experiencing any performance issues, and I reguarlary pick out IP's to make sure spammer IP's are the only ones in the list....however I can see trends where many ranges could be blocked which would help keep the list much shorter. The other option I thought about would be to take those ranges out of the HoneypotBlockedIPs list and add them to the Blacklisted IP's list. According to the documentation, you can add a class C range by ending the IP in .0, for example 192.12.45.0 would block that whole class C range. In this case, my question would be....can you block a class B or class A range the same....for example, blocking the class B range I'd type 192.12.0.0?? Thanks in advance for your help!!

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4105	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 11 October 2006 at 10:53pm
	Well... the HoneypotBlockedIPs file is supposed to be automatically maintained, so this is not documented... but yes, wilcards are supported. The entries are treated as text-file entries, so the wilcards are DOS-style. For ex: 192.12.* will block the whole class B. The Blacklisted IPs list can do the same thing, but the syntax is different... (yes, we know it's confusing, but different features were added during the years, and we did not want to break/alter past funxtionality). In this case, you should use the ".0" syntax, and you can block up to a class A: 192.0.0.0
	Roberto Franceschetti LogSat Software Spam Filter ISP

raregtp Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 October 2006 Status: Offline Points: 8	Post Options Post Reply Quote raregtp Report Post Thanks(0) Quote Reply Posted: 12 October 2006 at 9:49am
	Great....exactly what I was looking for. Thanks!

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Wildcards in HoneypotBlockedIPs???