Blacklist IP Wildcard Issue
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6356
Printed Date: 05 February 2025 at 4:59pm
Topic: Blacklist IP Wildcard Issue
Posted By: jerbo128
Subject: Blacklist IP Wildcard Issue
Date Posted: 18 January 2008 at 3:59pm
|
We had some good mail bounce with an "ip is blacklisted locally message" I searched the table, and neither the ip nor the Class C was listed. I finally found that the ClassB was wildcard listed such as: 216.229.0.0 was listed in the table intending to stop the 216.229.0.XXX subnet. But, instead it blocked the whole class B 216.229.XXX.XXX
I remember reading that wildcard "0" was to only be used for class C networks. But did you know that SFE would behave this way if it encountered XXX.XXX.0.0?
Running SFE .768
Jeremy
|
Replies:
Posted By: Desperado
Date Posted: 18 January 2008 at 5:24pm
|
jerbo128 (& Roberto)
I have confirmed this on SFI build 768. I added an IP to my BlackList as xx.xxxx.0.0 and then sent mail:
I have only changed the domains and the first 2 octets in my post for security. ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: LogSat
Date Posted: 19 January 2008 at 10:11am
|
You are both correct. This is going to be an issue, as we can't change how the ".0"s are handled or we will be interfering with how users have entered the other lists. What we can do is to introduce the use of CDIR notation in the blacklist, so you will be able to enter for example: 216.229.0.0/16 to block that subnet. We'll have this ready in the next build that will be released shortly (days, not weeks). ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: jerbo128
Date Posted: 19 January 2008 at 10:26am
|
Roberto,
Will you remove support for the xxx.xxx.xxx.0, or will you leave it in place with the warning as to what can happen?
Just trying to get a jumpstart on modifying my web management interface.
Jeremy
|
Posted By: LogSat
Date Posted: 19 January 2008 at 10:28am
|
We won't remove/change any existing functionality as we don't want to "break" any procedures and lists you admins may have in place. We're just adding (actually we've added it already and are testing it...) the CDIR functionality.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: jerbo128
Date Posted: 19 January 2008 at 10:43am
|
What will happen in the case of a 192.168.0.0/24 ? Do we need to enter it as a 192.168.0.1/24 so that SFE can tell the difference?
Will SFE be able to decipher a 192.168.10.80/24 (even though the grammer is bad)?
 Don't get me wrong, I really like the new idea. Just curious on functionality....Jeremy
|
Posted By: LogSat
Date Posted: 19 January 2008 at 10:50am
|
With the CDIR, what matters is the subnet mask, so if you enter 192.168.10.0/24 or 192.168.10.88/24 it will still block the entire 192.168.10.x class C, without having to worry on using a .0, .1, or who knows what in the last octet.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: Desperado
Date Posted: 19 January 2008 at 1:52pm
|
Roberto,
This sounds VERY good! It actually has not yet been an issue for me as I run my own dnsbl but ... The local IP black list comes way before the maps look-up so should be better for the larger ip blocks. ------------- The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
Posted By: cytechusa
Date Posted: 20 January 2008 at 10:29pm
|
can we do 201.0.0.0/8?? ------------- Diamond Cytech Computers & internet Sol, |
Posted By: LogSat
Date Posted: 21 January 2008 at 2:35pm
|
Yes, the new beta of SpamFilter that will be released within the next day or so will allow the CDIR notation, and will thus allow you to specify the /8.
------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: cytechusa
Date Posted: 21 January 2008 at 9:53pm
|
whats the best way to block ip say 201.0.0.0 would you put someting like 201.1.1.0? or 201.255.255.0? ------------- Diamond Cytech Computers & internet Sol, |
Posted By: jerbo128
Date Posted: 21 January 2008 at 9:56pm
|
201.0.0.0/8 to block the whole class A. 201.0.0.0/24 to block just the class C
That's a lot of ips if you are doing the entire Class A...
|
Posted By: cytechusa
Date Posted: 22 January 2008 at 3:03am
|
(Sorry if kinda long)
If you see the amount of junk that comes from the 200. range, I guess I'm looking to drop the connections and not even process them,like to bloke most all amsterdam,china. Ect
is the CDIR working in ver 3.5.4.718?
I'm wanting to make sure where I invest in a product, and how it is going to hold up for a number of years, I hate making changes (Customers hate it worse)
It seems to be what I was looking for, I gotta give roberto "Kudo's" on how quickly he responds to emails i have sent to him, was kinda worried at first "No phone support" no contract support, When he told me he doesn't have much need for "Paid" support, I almost fell-over!!! not that I'm lookn to give money away. (more of-an-at-a-boy) Roberto
Anyways, I'm going to be getting the Full 4.0 version so he can feed the family, gonna pop for the Anti-virus plug-in, Currently running Avast! Server, any for-seen issues there?
thanks
Diamond ------------- Diamond Cytech Computers & internet Sol, |
Posted By: LogSat
Date Posted: 22 January 2008 at 8:09am
|
The CDIR notation is a new feature was introduced to solve a problem reported by Jerbo128 just 4 days ago :-) Yesterday we released a new pre-release version of SpamFilter v4 that supports it (pre-release versions and betas are usually only available to licensed users). We are able to have such quick turnarounds (bug fixes are often released in less than 24/36 hours) as we are a smaller company and are not limited by inner political and marketing reasons in our business... For the "holding up a number of years", SpamFilter was first released in Aug 2002, and we hope we'll be around for several more years! For Avast!, there's no known issues with it nor other solutions. Please note the following however. By default SpamFilter processes emails in RAM for efficiency. You can use the following option in the SpamFilter.ini file to change this behavior: ;Set this to 0 to prevent queued emails to be spooled to memory, and force spooling to disk. While less efficient, spooling to disk helps allow existing antivirus software to detect and block some infected email files SpoolQueueFilesToMemory=1 If the temp files are spooled to disk, this allows your antivirus a chance to catch viruses the files may contain. If this happens, and your AV deletes the file, SpamFilter is "smart" enough to understand what happened, and will simply ignore the file and the relative email. However your AV must be able to keep up with the mail flow, and not all of them can. The antivirus plugin for the partner we use, Norman, is fully integrated in SpamFilter, and will inspect all attachments in emails. We go even as far as "hacking" the passwords in zip files if they are not longer than 6 digits, so we can catch many of the viruses in password protected zip files. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: StevenJohns
Date Posted: 30 January 2008 at 10:55am
|
>> SpamFilter was first released in Aug 2002, and we hope we'll be around for several more years! You'd better....where would we be without SF ?????
I don't normally lick ass, but SF is the best spam filter available....regardless of cost.
|
Posted By: Alan
Date Posted: 05 May 2008 at 3:07pm
|
Is there a guide on how to use the CDIR feature? Do we just include the IP block in the IP Filter list (e.g. xxx.yyy.zzz.0/16)? I don't see mention of it in the official documentation. This feature is effective as of 4.0.0.772, correct? And finally, as a registered SF user (since the 1.x days), it has been a real pleasure dealing with Roberto and using a product that the USERS can influence the direction of. |
Posted By: Alan
Date Posted: 05 May 2008 at 3:10pm
|
Now if we can only get a feature to add COMMENTS. I would suggest adding them following a "#" and having SF ignore remaining text in the line after the #. I would love to be able to better annotate why filters are added, when I added them, etc. |
Posted By: LogSat
Date Posted: 05 May 2008 at 6:59pm
|
Hi Alan,
The CDIR notation was added in v4.0.0.770, but, to be truthful, I do not know when we added the documentation to the manual. Here's the relevant section: Blacklisted IPs - You can keep a file with additional IPs that you want to blacklist by entering the filename below. If the file does not exist it will be created. The file is reloaded every minute. List individual IP addresses on each line. Use an ending .0 for a Class C wildcard (i.e. 192.12.45.0 to block 192.12.45.1 --> 192.12.45.255). This IP blacklist also supports the use of CDIR notation to specify networks. For example, 192.12.45.0/24 will block the previous Class C of addresses as well. The contents of the file will be loaded in the memo box, allowing you to make changes to the file. Unfortunately most likely we're still not going to be able to provide support for comments in all the blacklist/whitelist files. The reason is the same for which we do not check for correctness (the most common problems are leading/trailing spaces in the entries). Some customers have dozens of millions of entries in these lists, and checking each line for correctness (and parsing out the comments) would severely hamper performance in these cases. We process these white/black lists in bulk when reading/writing them, without looking at individual entries but rather by managing the raw memory locations that hold the strings as a whole, without applying any parsing for speed. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |