Search

Recent Posts

Tags


« | Main | »

GeoIP e-mail greylisting examples

By Dale Reagan | October 8, 2010

Are you getting enough SPAM? 🙂

Based on recent reports (~10/2010) the top purveyors of E-mail SPAM (SPAM = junk, malicious, annoying, just plain bad, un-wanted e-mail messages) continue world-wide operations.   The amount of SPAM network traffic is simply excessive (estimates from various sources typically indicate that 80+% of all e-mail is SPAM.)

Sometimes SPAM is from ‘real people’ and/or companies.  Mostly it is from seemingly anonymous sources sending the message with the intent to:

So – are these SPAMMERS really anonymous?

Yes AND no…  While they can hide/mask their true identities all e-mail messages contain some level of information indicating where the message is being sent from.  While it is certainly true that this electronic identity can also be masked (and most likely, the host sending/relaying the message is a compromised/hacked PC or server) you should be able to extract adequate information to reduce the  chance that the message will wind up in your e-mail inbox.

Reducing SPAM: Common Unix/Linux Tools

Most system engineers will build Linux/Unix systems with a best practice approach which will yield a server operating with a configuration that is as secure as possible (based on a variety of factors.)  For e-mail, some common secondary tools include using filters of some type.  These filters examine incoming messages and automatically reject or classify messages as:

  1. known SPAM sender/domain/IP address,
  2. malicious content, suspicious sender/domain/IP address, SPAM message content, or
  3. Ok message (no known/recognized concerns.)

Popular Server-level E-mail Filtering Tools

Milter-Greylist – more information and examples using GeoIP

The basics:

You control/manage milter-greylist by changing the configuration file, i.e. /some-path/greylist.conf.  I will only list examples for using GeoIP parameters in this post.  Before creating any GeoIP blocks (essentially, greylisting and/or blocking in-coming e-mail from specified countries – I did not see any reference to other GeoIP based parameters in the documentation, i.e. block by geo-region, city, zip code, etc.) you need to decide which countries are problematic.  The sample numbers below were extracted from recent mail logs –  messages were selected based on blacklist references as well as any SPAM that was delivered or captured based on server-level filtering via SpamAssassin.  The statistics (# of SPAM messages | country code):

  1. 228 | RU
  2. 205 | VN
  3. 183 | ID
  4. 144 | IN
  5. 97 | BR
  6. 87 | UA
  7. 71 | PK
  8. 65 | KR
  9. 59 | US
  10. 46 | CN

In this instance the USA and Canada make the list of SPAM senders (not surprising); in this case unknown senders from US/CN will be greylisted.  Without an existing need (i.e. business reason) for allowing email to/from the other listed countries e-mail messages will be blocked (instead of greylisted.)  The sample greylist.conf list below can be used to either greylist (delay messages) or blacklist (block messages) where the country code matches an entry in the list.  To use Geoip Greylisting/Blocking – After your basic greylist.conf setup/config you would create either a list entry or a country specific entry/action pair.  NOTEthe determination for matching countries to IP addresses is subject to change –  plan on updating your GeoIP data set or you may miss/delay messages…

Sample greylist entry for a single country:


geoipdb "/path_to/GeoIP.dat" #
data file required for GeoIP lookup racl greylist geoip "RU"     # use default delay for this country OR
racl blacklist geoip "RU"    # deny messages from this country

Sample block/greylist using a list of countries:


geoipdb "/path_to/GeoIP.dat"

list “country_block” geoip { \
“A1”     \ #  Anonymous Proxies
“RU”     \ #  Russian Federation
“VN”     \ #  Vietnam
“ID”     \ #  Indonesia
“IN”     \ #  India
“BR”     \ #  Brazil
“UA”     \ #  Ukraine
“PK”     \ #  Pakistan
“KR”     \ #  Republic of
“CN”     \ #  China
}

## below with block/deny messages from the countries above
racl blacklist list "country_block" msg "Service not available for Country: '%C'..."
## below with delay messages from the countries above for 40 minutes
racl greylist list "country_block" delay 40m

Of course testing and log review should be part of using this solution.  You can customize the milter-greylist message and a country code using ‘%C’ (from the documentation.)  After making configuration changes you should probably re-start your mail service related programs (will vary  based on implementation.)  Some useful milter-greylist command line options:

More information is available on the Milter-Greylist wiki.

Summary of phases for processing for In-coming email:

As always, you can contact me if you need a consultant to assist you in implementing this (or other Unix/Linux) types of solutions.  Of course, your mileage will vary.  🙂

Topics: Computer Technology, System and Network Security, Unix-Linux-Os | Comments Off on GeoIP e-mail greylisting examples

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________