Print Page | Close Window

Country Filter - Blacklisting N/A

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=1886
Printed Date: 15 March 2025 at 6:04am


Topic: Country Filter - Blacklisting N/A
Posted By: Guests
Subject: Country Filter - Blacklisting N/A
Date Posted: 04 September 2003 at 2:19pm

I have configured SpamFilter to blacklist all countries from which I don't expect to receive legit email. This includes N/A, which I infer means IP addresses that somewhow do not have a listed country "affiliation". In the last 3 months, some 640 emails have been rejected from N/A out of 30,000 total that were blocked for any reason.

One legit sender whose domain is hosted by Hurricane Electric is unable to send email because Hurricane's IP comes up as being in a blacklisted country. Here a sample log entry with the sender and recipient email addresses replaced.

08/20/03 11:32:09:115 -- (2256) Connection from: 64.62.225.2 -

Originating country : N/A

08/20/03 11:32:09:256 -- (2256) Resolving 64.62.225.2 - tornado.he.net

08/20/03 11:32:09:256 -- (2256) - IP address is from a blacklisted country...

08/20/03 11:32:09:256 -- (2256) 64.62.225.2 - Mail from: <SENDER> To: <RECIPIENT> will be disconnected

The sender receives a standard reject message from SpamFilter that the email is rejected because it originates in a blacklisted country.

Am I correct in my assumption above as to why an IP address would show up N/A? Is there more to it? How does SpamFilter make the determination of "country" -- what is the mechanism? Is there a web site that I can visit to manually test IP addresses (or to refer sys admins to test their IP addresses) that uses the same data as SpamFilter? I think that N/A indicates a DNS configuration problem. What should I recommend / ask admins to do to fix this problem?

Thanks,

Robert Shelton

 




Replies:
Posted By: LogSat
Date Posted: 04 September 2003 at 9:45pm

Robert,

SpamFilter uses GeoIP data created by MaxMind, available from http://maxmind.com" class="ASPForums" title="WARNING: URL created by poster. - http://maxmind.com , to lookup countries based on source IPs. The country/IP database is contained in the GeoIP.dat file in the SpamFilter folder. The most recent database can be downloaded from maxmind.com at http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz -



Posted By: Guests
Date Posted: 04 September 2003 at 11:17pm

Thanks Roberto. The file turned out to be a .gz, not .g, but it is there. Am downloading.

The test feature would be great - akin to the blacklist test.

To clarify my understanding of the situation, my SpamFilter installation is querrying the file in the install directory, not going out to the web for that check. So the file needs to be kept up to date or incorrect answers will come back. The incorrect answers probably would be more likely to show up in N/A, I am guessing, because they'd be new IP ranges that aren't in my version of the database. Is my interpretation correct?

Thanks,

Robert Shelton



Posted By: Guests
Date Posted: 04 September 2003 at 11:27pm

Roberto - Don't know how often these files are updated by GeoIP. The ones I downloaded were changed in the last 30 days, so I am guessing monthly. It would be useful for SpamFilter to check automatically for updates b/c if my guess about how file change would cause rejects is correct, this is something that we'd want to keep up to date. Or are these files updated when we install new releases?

Tx,

Robert



Posted By: LogSat
Date Posted: 05 September 2003 at 9:52pm

Yes, SpamFilter s quering the local GeoIP.dat file, not the web version. As far as incorrect IPs more likely to show up as N/A, I do not honestly know how MaxMind populates their database, so do not have an answer for that, even though it would seem logical that they are catalogued as N/A.

Sorry for the wrong link, copy and past issues...

Roberto F.
LogSat Software



Posted By: LogSat
Date Posted: 05 September 2003 at 9:56pm

Having SpamFIlter check for geodata updates is a good idea, we'll see if we can arrange that.

Right now we leave it up to the users to update the file, once every few months we update the one in the SpamFilter distribution package.

Roberto F.
LogSat Software



Posted By: Guests
Date Posted: 06 September 2003 at 1:46am

Roberto -- re update cycle, I noticed that the file that came with my update package (v .178 is what I have installed, but I think that I first installed on this machine 3 months or so ago) was dated December 2002. The size difference was over 100K, so quite a bit has been added. Probably best to check for updates monthly. If the file is out of sync, we'd either get false positives or detection failures.

Tx,

Robert



Posted By: Guests
Date Posted: 14 September 2003 at 12:06pm

not all problems are logsat related, i use :

get en unzip that file, and put it in my logsat dir.(just a stupid batch file)

i never had problems with n/a,

anyone who uses logsat should know smtp commands,(and regex :-))

ftp and http commands, so you can update it by script.

logsat almost updates all the files every connection or email,(aka 5 minutes)

except so far the ini file.

 

logsat support : keep it lean and mean as it is now,

i completely junked my mcaffee produkts, and enabled snort patterns in my regex

keywordfilter, now no virus is found for over 3 months, at my internal notes and exchange admins !

-eric-

 

 




Print Page | Close Window