More problems blocking by IP address |
Post Reply 
|
| Author | |
Abel 
Guest Group 
|
 Post Options
 Thanks(0)
 Quote Reply
 Topic: More problems blocking by IP addressPosted: 14 July 2003 at 7:35pm |
|
Hi Roberto, I have included the IP 200.218.224.2 in my black list by IP address, but SpamFilter is blocking too, emails from 200.218.224.239. How to avoid this ? Is it possible to include comments on the black/white lists ? Thanks, Abel |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 14 July 2003 at 9:29pm |
|
Abel, For speed and efficiency, SpamFilter performs substring checks on the black/white lists. For this reason, as you discovered, an entry of 200.218.224.2 will match 200.218.224.2, but also 200.218.224.21, 200.218.224.26, 200.218.224.200, 200.218.224.239 etc. There is currently no plan to change this behavior. The lists are taken listerally, any content in them is treated as a keyword, thus keywords are not allowed. Roberto Franceschetti |
|
|
|
|
abel
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 15 July 2003 at 9:26pm |
|
Roberto, Iīm a little worried about this way of processing the black list in the ip addresses. We can lost important messages because of that and I will be crucified here because of that. Another thing is that I cant block for example only the class C of 64.0.0.0. Correct me if Im wrong, but SpamFilter will block all the class B of it. And its not good too. Thanks for your info, Abel.
|
|
|
|
|
Desperado
Senior Member 
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 July 2003 at 12:59am |
|
Able, Do you run a DNS server? If not, Can you? What I do, is run my own dnsbl DNS server (just like a "public" Black Hole list). I have "dnsbl.mags.net" in the SpamFilter.ini file as an entry under the [blacklists] section. Using this I can block any IP I want or any group of IP's. Some of my blocks are, in fact, class C's and those really could be in the SpamFilter "Blocked IP's" list but I prefer to use my "private" black hole list and have some automated scripts to add or remove the IP's that I want to block. This may method may solve your problem and prevent any crucifixion's from occurring. The DNS server doesn't have to be a "registered" server, as long at the mail server knows how to get to it. Does this make sense to you or have I only confused you? I actually started running this way long before I started running SpamFilter because my antivirus Mail Server had a similar issue ... mainly it was very hard to get the exact range of IP's in that server. If you require more information, have Roberto send you my email address and we can discuss it off the forum. Regards, Dan S |
|
|
|
|
abel
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 16 July 2003 at 9:48pm |
|
Hi Dan, Its really a greate idea to have a blacklist into a local DNS. I will implement this. Thanks very much, Abel.
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 July 2003 at 10:58pm |
|
Abel, Do you know the format for a standard dnsbl DNS server? It is easy but sometimes people don't realize it is actually a FORWARD zone not reverse. Just making sure. If you need any help, just let me know. Dan |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 17 July 2003 at 5:03pm |
|
Abel, Have you also tried RegEx's in the IP list? Example: In the allowed IP list, (66.181.200.[\d]{2,3}) will ALLOW anything above the .9 host and NOT ALLOW everything else. If you put the same expression in the Blocked IP list, it will BLOCK all above the .9 host and NOT BLOCK everything below. This is a very "loose" expression ... an invalid IP won't get detected but there should never be an invalid IP so I didn't bother doing anything fancy. You can do some very interesting stuff with RegEx's but you can also make very interesting mistakes! Dan S.
|
|
|
|
|
abel
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 July 2003 at 10:08pm |
|
Dan, Thanks for the tip. I didnt know that.
Thanks, Abel. |
|
|
|
|
abel
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 July 2003 at 10:11pm |
|
Dan, Regex isnīt my best shot, but, everytime I see a suggestion from you in the forum I apply it to my spamfilter specially the "from email" regex. Thanks, Abel. |
|
|
|
|
Michael Magill
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 18 July 2003 at 11:07am |
|
I very strongly request that you modify this behavior. We have purchased and are using SpamFilter but it makes me very nervous about continuing to use it. We had assumed that when we enter an IP *only* that IP would be filtered. Using regular expressions seems to me a bad workaround. I would recommend replacing the substring method of searching with the option of the user supplying a subnet mask. 255.255.255.255 or /32 for one IP, /24 for a class C, etc. This would also make it easier to block subnets like /20. >For speed and efficiency, SpamFilter performs substring checks on the >black/white lists. For this reason, as you discovered, an entry of
>
>200.218.224.2
>
>will match 200.218.224.2, but also 200.218.224.21, 200.218.224.26, >200.218.224.200, 200.218.224.239 etc. There is currently no plan to change >this behavior.
>
>The lists are taken listerally, any content in them is treated as a keyword, >thus keywords are not allowed.
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 18 July 2003 at 6:48pm |
|
Let us think about this for a bit. Since the lists can be a mix of text and IPs, performing substring searches was the simplest, faster way of proceeding. If we are to consider the .0s and make them IP wildcards rather than strings our code optimizations would no longer be valid and performance will be affected. We'll see if there's anything we can do to do this efficiently. Roberto Franceschetti |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 July 2003 at 10:10am |
|
I reviewd our internal code and the process implemented. We will treat this indeed as a bug, your request is very valid. We're in the process of adding a few extra features, this fix will be included in the new build wehich should be ready within a few days. Roberto Franceschetti |
|
|
|
|
ashley
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 28 July 2003 at 4:33pm |
|
Dan, This is interesting, I didn't realize this could be done. I am interested in getting this setup but haven't been able to get it to work. I have DNS running on two servers but set up the Forward lookup zone: dnsbl.local on the primary. (It should replicate over at some point.) Just to test it I tried blocking my hotmail email so I added a host with the IP 207.68.163.0 and host name of test. (most of my hotmail emails come from several IPs in that block.) Then I added dnsbl.local, true to my spamfilter.ini file. The emails still come through. Could you give some more details on setting that up? Bye the way, I can ping test.dnsbl.local and it comes back with the expected reply: timed out [207.68.163.0]. Also, when I enter an address such as 207.68.163.0 in the IP blacklist the message still comes though. Should the syntax be different than that? |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 July 2003 at 7:51pm |
|
OK ... if the ip you are trying to block is 12.100.85.178 , you will create a forward lookup UNDER the main zone that lo0ks like the following: 178.85.100.12 3600 A 127.0.0.2 So if your "Parent zone is dnsbl.domain.com, the lookup of 178.85.100.12.dnsbl.domain.com will yield 127.0.0.2 The standard dnsbl uses the reverse IP to do the lookup. Did that help?
Dan S.
|
|
|
|
|
ashley
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 29 July 2003 at 4:50pm |
|
So 178.85.100.12 is the host name which is created in the forward lookup zone and has the IP value of 127.0.0.2. So when a lookup is done on 178.85.10.12.dnsbl.domain.com it resolves to 127.0.0.2. Is that correct? However I am not able to create hosts with decimals such as 178.85.100.12. I am using windows 2000's DNS server. I would have to create seperate domains and that seems excessive so either I don't understand or I just can't do it with windows. |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 July 2003 at 5:39pm |
|
Ashely, You are mostly correct on all acciunts. The only way to create a record like that using the MS GUI is to create (under the parent domain) a "Domain", then another "Domain" then another "domain" and finaly a host of the final octet. The GUI will even complain about that but will do it. So .... really what I do is, have my application write directly to the zone file the line just as I showed in my previous post. I increment the serial number (only required if you have a secondary that syncs for this) and I then force the zone to "Reload" the zone file. Yippie for Microsoft! Dan S.
|
|
|
|
|
ashley
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 31 July 2003 at 4:27pm |
|
Well I think I got the dnsbl setup ...except it doesn't work... 07/31/03 16:00:33:822 -- (1528) Connection from: 207.68.163.78 - Originating country : United States This may be related to the other problem I posted about (http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=1541). The strange thing is the other MAPS queries are blocked. Other details: |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 31 July 2003 at 4:47pm |
|
Ashley, I asked LogSat to shoot you my address ... that way I can directly message to you an the dnsbl setup. Dan
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 31 July 2003 at 5:21pm |
|
Ashley, Can you post your actual zone file? Or, at least the "A" record in the zone ... the whole file would be better. Dan
|
|
|
|
|
ashley
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 31 July 2003 at 5:33pm |
|
Here is the zone file for dnsbl.local on my DNS server. If you wish to email me directly my address is ashleymm72@hotmail.com. ; @ IN SOA raven.infopro.local. admin.infopro.local. ( ; @ NS raven.infopro.local. ; 0.163.68.207 A 127.0.0.2 |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 31 July 2003 at 5:59pm |
|
Ashley,
The record:
0.163.68.207 A 127.0.0.2
Won't work ... I assume you are trying for the whole class C ... Yes?
What you need to do is either add the exact IP as follows:
63.163.68.207 A 127.0.0.2
Where 63 is the "host" part or do something completely unorthodox ... which is what I do and it works:
*.163.68.207 A 127.0.0.2
Note that not all versions of Bind accept this but MS DNS does.
Please try this and let me know.
Regards,
Dan |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.410 seconds.