Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Country Filter - Blacklisting N/A
  FAQ FAQ  Forum Search   Register Register  Login Login

Country Filter - Blacklisting N/A
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Robert Shelton View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Robert Shelton Quote  Post ReplyReply Direct Link To This Post Topic: Country Filter - Blacklisting N/A
    Posted: 04 September 2003 at 2:19pm

I have configured SpamFilter to blacklist all countries from which I don't expect to receive legit email. This includes N/A, which I infer means IP addresses that somewhow do not have a listed country "affiliation". In the last 3 months, some 640 emails have been rejected from N/A out of 30,000 total that were blocked for any reason.

One legit sender whose domain is hosted by Hurricane Electric is unable to send email because Hurricane's IP comes up as being in a blacklisted country. Here a sample log entry with the sender and recipient email addresses replaced.

08/20/03 11:32:09:115 -- (2256) Connection from: 64.62.225.2 -

Originating country : N/A

08/20/03 11:32:09:256 -- (2256) Resolving 64.62.225.2 - tornado.he.net

08/20/03 11:32:09:256 -- (2256) - IP address is from a blacklisted country...

08/20/03 11:32:09:256 -- (2256) 64.62.225.2 - Mail from: <SENDER> To: <RECIPIENT> will be disconnected

The sender receives a standard reject message from SpamFilter that the email is rejected because it originates in a blacklisted country.

Am I correct in my assumption above as to why an IP address would show up N/A? Is there more to it? How does SpamFilter make the determination of "country" -- what is the mechanism? Is there a web site that I can visit to manually test IP addresses (or to refer sys admins to test their IP addresses) that uses the same data as SpamFilter? I think that N/A indicates a DNS configuration problem. What should I recommend / ask admins to do to fix this problem?

Thanks,

Robert Shelton

 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 04 September 2003 at 9:45pm

Robert,

SpamFilter uses GeoIP data created by MaxMind, available from http://maxmind.com, to lookup countries based on source IPs. The country/IP database is contained in the GeoIP.dat file in the SpamFilter folder. The most recent database can be downloaded from maxmind.com at http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz

As far as testing if an IP has a country assigned to it, I believe we'll be able to add that functionality to the SpamFilter GUI before the next build is released.

Roberto Franceschetti
LogSat Software



Edited by LogSat
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Robert Shelton View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Robert Shelton Quote  Post ReplyReply Direct Link To This Post Posted: 04 September 2003 at 11:17pm

Thanks Roberto. The file turned out to be a .gz, not .g, but it is there. Am downloading.

The test feature would be great - akin to the blacklist test.

To clarify my understanding of the situation, my SpamFilter installation is querrying the file in the install directory, not going out to the web for that check. So the file needs to be kept up to date or incorrect answers will come back. The incorrect answers probably would be more likely to show up in N/A, I am guessing, because they'd be new IP ranges that aren't in my version of the database. Is my interpretation correct?

Thanks,

Robert Shelton
Back to Top
Robert Shelton View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Robert Shelton Quote  Post ReplyReply Direct Link To This Post Posted: 04 September 2003 at 11:27pm

Roberto - Don't know how often these files are updated by GeoIP. The ones I downloaded were changed in the last 30 days, so I am guessing monthly. It would be useful for SpamFilter to check automatically for updates b/c if my guess about how file change would cause rejects is correct, this is something that we'd want to keep up to date. Or are these files updated when we install new releases?

Tx,

Robert
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 05 September 2003 at 9:52pm

Yes, SpamFilter s quering the local GeoIP.dat file, not the web version. As far as incorrect IPs more likely to show up as N/A, I do not honestly know how MaxMind populates their database, so do not have an answer for that, even though it would seem logical that they are catalogued as N/A.

Sorry for the wrong link, copy and past issues...

Roberto F.
LogSat Software
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 05 September 2003 at 9:56pm

Having SpamFIlter check for geodata updates is a good idea, we'll see if we can arrange that.

Right now we leave it up to the users to update the file, once every few months we update the one in the SpamFilter distribution package.

Roberto F.
LogSat Software
Back to Top
Robert Shelton View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Robert Shelton Quote  Post ReplyReply Direct Link To This Post Posted: 06 September 2003 at 1:46am

Roberto -- re update cycle, I noticed that the file that came with my update package (v .178 is what I have installed, but I think that I first installed on this machine 3 months or so ago) was dated December 2002. The size difference was over 100K, so quite a bit has been added. Probably best to check for updates monthly. If the file is out of sync, we'd either get false positives or detection failures.

Tx,

Robert
Back to Top
eric View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote eric Quote  Post ReplyReply Direct Link To This Post Posted: 14 September 2003 at 12:06pm

not all problems are logsat related, i use :

get en unzip that file, and put it in my logsat dir.(just a stupid batch file)

i never had problems with n/a,

anyone who uses logsat should know smtp commands,(and regex :-))

ftp and http commands, so you can update it by script.

logsat almost updates all the files every connection or email,(aka 5 minutes)

except so far the ini file.

 

logsat support : keep it lean and mean as it is now,

i completely junked my mcaffee produkts, and enabled snort patterns in my regex

keywordfilter, now no virus is found for over 3 months, at my internal notes and exchange admins !

-eric-

 

 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.141 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us