| More problems blocking by IP address
 
 Printed From: LogSat Software
 Category:  Spam Filter ISP
 Forum Name:  Spam Filter ISP Support
 Forum Description:  General support for Spam Filter ISP
 URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=1378
 Printed Date: 25 October 2025 at 12:42pm
 
 
 Topic: More problems blocking by IP address
 Posted By: Guests
 Subject: More problems blocking by IP address
 Date Posted: 14 July 2003 at 7:35pm
 
 
        
          | Hi Roberto, I have included the IP 200.218.224.2 in my black list by IP address, but SpamFilter is blocking too, emails from 200.218.224.239. How to avoid this ? Is it possible to include comments on the black/white lists ? Thanks, Abel |  
 
 Replies:
 Posted By: LogSat
 Date Posted: 14 July 2003 at 9:29pm
 
 
        
          | Abel, For speed and efficiency, SpamFilter performs substring checks on the black/white lists. For this reason, as you discovered, an entry of 200.218.224.2 will match 200.218.224.2, but also 200.218.224.21, 200.218.224.26, 200.218.224.200, 200.218.224.239 etc. There is currently no plan to change this behavior. The lists are taken listerally, any content in them is treated as a keyword, thus keywords are not allowed. Roberto FranceschettiLogSat Software
 |  
 Posted By: Guests
 Date Posted: 15 July 2003 at 9:26pm
 
 
        
          | Roberto, Iīm a little worried about this way of processing the black list in the ip addresses. We can lost important messages because of that and I will be crucified here because of that. Another thing is that I cant block for example only the class C of 64.0.0.0. Correct me if Im wrong, but SpamFilter will block all the class B of it. And its not good too. Thanks for your info, Abel.     |  
 Posted By: Desperado
 Date Posted: 16 July 2003 at 12:59am
 
 
        
          | Able, Do you run a DNS server?  If not, Can you?  What I do, is run my own dnsbl DNS server (just like a "public" Black Hole list).  I have "dnsbl.mags.net" in the SpamFilter.ini file as an entry under the [blacklists] section.  Using this I can block any IP I want or any group of IP's.  Some of my blocks are, in fact, class C's and those really could be in the SpamFilter "Blocked IP's" list but I prefer to use my "private" black hole list and have some automated scripts to add or remove the IP's that I want to block.   This may method may solve your problem and prevent any crucifixion's from occurring. The DNS server doesn't have to be a "registered" server, as long at the mail server knows how to get to it.  Does this make sense to you or have I only confused you?  I actually started running this way long before I started running SpamFilter because my antivirus Mail Server had a similar issue ... mainly it was very hard to get the exact range of IP's in that server. If you require more information, have Roberto send you my email address and we can discuss it off the forum. Regards, Dan S |  
 Posted By: Guests
 Date Posted: 16 July 2003 at 9:48pm
 
 
        
          | Hi Dan, Its really a greate idea to have a blacklist into a local DNS. I will implement this. Thanks very much, Abel.   |  
 Posted By: Desperado
 Date Posted: 16 July 2003 at 10:58pm
 
 
        
          | Abel, Do you know the format for a standard dnsbl DNS server?  It is easy but sometimes people don't realize it is actually a FORWARD zone not reverse. Just making sure.  If you need any help, just let me know. Dan |  
 Posted By: Desperado
 Date Posted: 17 July 2003 at 5:03pm
 
 
        
          | Abel, Have you also tried RegEx's in the IP list? Example: In the allowed IP list, (66.181.200.[\d]{2,3}) will ALLOW anything above the .9 host and NOT ALLOW everything else.  If you put the same expression in the Blocked IP list, it will BLOCK all above the .9 host and NOT BLOCK everything below. This is a very "loose" expression ... an invalid IP won't get detected but there should never be an invalid IP so I didn't bother doing anything fancy. You can do some very interesting stuff with RegEx's but you can also make very interesting mistakes! Dan S.   |  
 Posted By: Guests
 Date Posted: 17 July 2003 at 10:08pm
 
 
        
          | Dan, Thanks for the tip. I didnt know that.   Thanks, Abel. |  
 Posted By: Guests
 Date Posted: 17 July 2003 at 10:11pm
 
 
        
          | Dan, Regex isnīt my best shot, but, everytime I see a suggestion from you in the forum I apply it to my spamfilter specially the "from email" regex. Thanks, Abel. |  
 Posted By: Guests
 Date Posted: 18 July 2003 at 11:07am
 
 
        
          | I very strongly request that you modify this behavior.  We have purchased and are using SpamFilter but it makes me very nervous about continuing to use it.  We had assumed that when we enter an IP *only* that IP would be filtered.  Using regular expressions seems to me a bad workaround.  I would recommend replacing the substring method of searching with the option of the user supplying a subnet mask.  255.255.255.255 or /32 for one IP,  /24 for a class C, etc.  This would also make it easier to block subnets like /20.  >For speed and efficiency, SpamFilter performs substring checks on the >black/white lists. For this reason, as you discovered, an entry of
>
>200.218.224.2
>
>will match 200.218.224.2, but also 200.218.224.21, 200.218.224.26, >200.218.224.200, 200.218.224.239 etc. There is currently no plan to change >this behavior.
>
>The lists are taken listerally, any content in them is treated as a keyword, >thus keywords are not allowed. |  
 Posted By: LogSat
 Date Posted: 18 July 2003 at 6:48pm
 
 
        
          | Let us think about this for a bit. Since the lists can be a mix of text and IPs, performing substring searches was the simplest, faster way of proceeding. If we are to consider the .0s and make them IP wildcards rather than strings our code optimizations would no longer be valid and performance will be affected. We'll see if there's anything we can do to do this efficiently. Roberto FranceschettiLogSat Software
 |  
 Posted By: LogSat
 Date Posted: 19 July 2003 at 10:10am
 
 
        
          | I reviewd our internal code and the process implemented. We will treat this indeed as a bug, your request is very valid. We're in the process of adding a few extra features, this fix will be included in the new build wehich should be ready within a few days. Roberto FranceschettiLogSat Software
 |  
 Posted By: Guests
 Date Posted: 28 July 2003 at 4:33pm
 
 
        
          | Dan, This is interesting, I didn't realize this could be done. I am interested in getting this setup but haven't been able to get it to work. I have DNS running on two servers but set up the Forward lookup zone: dnsbl.local on the primary. (It should replicate over at some point.) Just to test it I tried blocking my hotmail email so I added a host with the IP 207.68.163.0 and host name of test. (most of my hotmail emails come from several IPs in that block.) Then I added dnsbl.local, true to my spamfilter.ini file. The emails still come through. Could you give some more details on setting that up? Bye the way, I can ping test.dnsbl.local and it comes back with the expected reply: timed out [207.68.163.0].  Also, when I enter an address such as 207.68.163.0 in the IP blacklist the message still comes though. Should the syntax be different than that? |  
 Posted By: Desperado
 Date Posted: 28 July 2003 at 7:51pm
 
 
        
          | OK ... if the ip you are trying to block is 12.100.85.178 , you will create a forward lookup UNDER the main zone that lo0ks like the following: 178.85.100.12           3600 A 127.0.0.2 So if your "Parent zone is dnsbl.domain.com, the lookup of 178.85.100.12.dnsbl.domain.com will yield 127.0.0.2  The standard dnsbl uses the reverse IP to do the lookup. Did that help?   Dan S. 
 |  
 Posted By: Guests
 Date Posted: 29 July 2003 at 4:50pm
 
 
        
          | So 178.85.100.12 is the host name which is created in the forward lookup zone and has the IP value of 127.0.0.2. So when a lookup is done on 178.85.10.12.dnsbl.domain.com it resolves to 127.0.0.2. Is that correct? However I am not able to create hosts with decimals such as 178.85.100.12. I am using windows 2000's DNS server. I would have to create seperate domains and that seems excessive so either I don't understand or I just can't do it with windows. |  
 Posted By: Desperado
 Date Posted: 29 July 2003 at 5:39pm
 
 
        
          | Ashely, You are mostly correct on all acciunts.  The only way to create a record like that using the MS GUI is to create (under the parent domain) a "Domain", then another "Domain" then another "domain" and finaly a host of the final octet.  The GUI will even complain about that but will do it. So .... really what I do is, have my application write directly to the zone file the line just as I showed in my previous post.  I increment the serial number (only required if you have a secondary that syncs for this) and I then force the zone to "Reload" the zone file. Yippie for Microsoft! Dan S.   |  
 Posted By: Guests
 Date Posted: 31 July 2003 at 4:27pm
 
 
        
          | Well I think I got the dnsbl setup ...except it doesn't work... 07/31/03 16:00:33:822 -- (1528) Connection from: 207.68.163.78  -  Originating country : United States07/31/03 16:00:34:431 -- (1528) Resolving 207.68.163.78 - sea1-f78.sea1.hotmail.com
 07/31/03 16:00:34:431 -- (1528) - Domain is in local blacklist file...
 07/31/03 16:00:34:431 -- (1528) RCPT TO:  mailto:amillard@workaddress.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - amillard@workaddress.com  accepted
 07/31/03 16:00:34:697 -- (1528) EMail from  mailto:ashleymm72@hotmail.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - ashleymm72@hotmail.com  to  mailto:amillard@workaddress.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - amillard@workaddress.com  was queued. Size: 1 KB
 07/31/03 16:00:34:712 -- (2384) Sending email from  mailto:ashleymm72@hotmail.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - ashleymm72@hotmail.com  to  mailto:amillard@workaddress.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - amillard@workaddress.com
 07/31/03 16:00:34:791 -- (1528) Disconnect
 07/31/03 16:00:34:916 -- (2384) EMail from  mailto:ashleymm72@hotmail.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - ashleymm72@hotmail.com  to  mailto:amillard@workaddress.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - amillard@workaddress.com   was forwarded to 10.1.1.98
 This may be related to the other problem I posted about ( http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=1541" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  -  http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=1541" CLASS="ASPForums" TITLE="WARNING: URL created by poster.  - http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=1541 ). The strange thing is the other MAPS queries are blocked. Other details:- Win2k server
 - I put  0.163.68.207 A 127.0.0.2 in my DNS server. The nslookup returns 127.0.0.2 so i think that is setup correctly.
 |  
 Posted By: Desperado
 Date Posted: 31 July 2003 at 4:47pm
 
 
        
          | Ashley, I asked LogSat to shoot you my address ... that way I can directly message to you an the dnsbl setup. Dan   |  
 Posted By: Desperado
 Date Posted: 31 July 2003 at 5:21pm
 
 
        
          | Ashley, Can you post your actual zone file? Or, at least the "A" record in the zone ... the whole file would be better. Dan   |  
 Posted By: Guests
 Date Posted: 31 July 2003 at 5:33pm
 
 
        
          | Here is the zone file for dnsbl.local on my DNS server. If you wish to email me directly my address is ashleymm72@hotmail.com. ;;  Database file dnsbl.local.dns for dnsbl.local zone.
 ;      Zone version:  22
 ;
 @                       IN  SOA raven.infopro.local.  admin.infopro.local. (22           ; serial number
 900          ; refresh
 600          ; retry
 86400        ; expire
 3600       ) ; minimum TTL
 ;;  Zone NS records
 ;
 @                       NS raven.infopro.local. ;;  Zone records
 ;
 0.163.68.207            A 127.0.0.2 |  
 Posted By: Desperado
 Date Posted: 31 July 2003 at 5:59pm
 
 
        
          | Ashley,   The record: 0.163.68.207            A 127.0.0.2 Won't work ... I assume you are trying for the whole class C ... Yes?   What you need to do is either add the exact IP as follows:   63.163.68.207            A 127.0.0.2   Where 63 is the "host" part or do something completely unorthodox ... which is what I do and it works:   
*.163.68.207            A 127.0.0.2   Note that not all versions of Bind accept this but MS DNS does.   Please try this and let me know.   Regards, Dan |  
 
 |