I have configured SpamFilter to blacklist all countries from which I don't expect to receive legit email. This includes N/A, which I infer means IP addresses that somewhow do not have a listed country "affiliation". In the last 3 months, some 640 emails have been rejected from N/A out of 30,000 total that were blocked for any reason.

One legit sender whose domain is hosted by Hurricane Electric is unable to send email because Hurricane's IP comes up as being in a blacklisted country. Here a sample log entry with the sender and recipient email addresses replaced.

08/20/03 11:32:09:256 -- (2256) 64.62.225.2 - Mail from: <SENDER> To: <RECIPIENT> will be disconnected

The sender receives a standard reject message from SpamFilter that the email is rejected because it originates in a blacklisted country.

Am I correct in my assumption above as to why an IP address would show up N/A? Is there more to it? How does SpamFilter make the determination of "country" -- what is the mechanism? Is there a web site that I can visit to manually test IP addresses (or to refer sys admins to test their IP addresses) that uses the same data as SpamFilter? I think that N/A indicates a DNS configuration problem. What should I recommend / ask admins to do to fix this problem?

Thanks,

Robert Shelton

Robert,

SpamFilter uses GeoIP data created by MaxMind, available from http://maxmind.com" class="ASPForums" title="WARNING: URL created by poster. - http://maxmind.com , to lookup countries based on source IPs. The country/IP database is contained in the GeoIP.dat file in the SpamFilter folder. The most recent database can be downloaded from maxmind.com at http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz -

Thanks Roberto. The file turned out to be a .gz, not .g, but it is there. Am downloading.

The test feature would be great - akin to the blacklist test.

To clarify my understanding of the situation, my SpamFilter installation is querrying the file in the install directory, not going out to the web for that check. So the file needs to be kept up to date or incorrect answers will come back. The incorrect answers probably would be more likely to show up in N/A, I am guessing, because they'd be new IP ranges that aren't in my version of the database. Is my interpretation correct?

Thanks,

Robert Shelton

Roberto - Don't know how often these files are updated by GeoIP. The ones I downloaded were changed in the last 30 days, so I am guessing monthly. It would be useful for SpamFilter to check automatically for updates b/c if my guess about how file change would cause rejects is correct, this is something that we'd want to keep up to date. Or are these files updated when we install new releases?

Tx,

Robert

Yes, SpamFilter s quering the local GeoIP.dat file, not the web version. As far as incorrect IPs more likely to show up as N/A, I do not honestly know how MaxMind populates their database, so do not have an answer for that, even though it would seem logical that they are catalogued as N/A.

Sorry for the wrong link, copy and past issues...

Roberto F.
LogSat Software

Having SpamFIlter check for geodata updates is a good idea, we'll see if we can arrange that.

Right now we leave it up to the users to update the file, once every few months we update the one in the SpamFilter distribution package.

Roberto F.
LogSat Software

Roberto -- re update cycle, I noticed that the file that came with my update package (v .178 is what I have installed, but I think that I first installed on this machine 3 months or so ago) was dated December 2002. The size difference was over 100K, so quite a bit has been added. Probably best to check for updates monthly. If the file is out of sync, we'd either get false positives or detection failures.

Tx,

Robert

not all problems are logsat related, i use :

get en unzip that file, and put it in my logsat dir.(just a stupid batch file)

i never had problems with n/a,

anyone who uses logsat should know smtp commands,(and regex :-))

ftp and http commands, so you can update it by script.

logsat almost updates all the files every connection or email,(aka 5 minutes)

except so far the ini file.

logsat support : keep it lean and mean as it is now,

i completely junked my mcaffee produkts, and enabled snort patterns in my regex

keywordfilter, now no virus is found for over 3 months, at my internal notes and exchange admins !

-eric-