Ip address blocking by country - VMS

This is a discussion on Ip address blocking by country - VMS ; Wrong NG? maybe but I know people here are well versed in this. IP blocking. Is this done on a regular basis? Thought someone here would be able to answer. If so, what are the prefix IP addresses we should ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 37

Thread: Ip address blocking by country

  1. Ip address blocking by country

    Wrong NG?
    maybe but I know people here are well versed in this.

    IP blocking.
    Is this done on a regular basis?
    Thought someone here would be able to answer.

    If so, what are the prefix IP addresses we should block?
    Seems most of our spam is coming through chinese IP addresses !
    We are using Spamassassin but it sometimes deletes good messages as do the
    blacklist servers.
    We are using 1 of the 4 blacklist servers on our mailserver but Brian here
    is making me nervous as yesterday after doing some work we got almost no
    emails.

    Comments?!?!

    DT

    --
    David B Turner

    =============================================

    Island Computers US Corp
    PO Box 86
    Tybee GA 31328

    Toll Free: 1-877 636 4332 x201, Mobile x251
    Email: dturner@islandco.com
    International & Local: (001)- 404-806-7749
    Fax: 912 786 8505
    Web: www.islandco.com

    =============================================



  2. Re: Ip address blocking by country


    "David Turner, Island Computers" wrote in message
    news:5bCUj.488$Xv3.369@bignews4.bellsouth.net...

    > Seems most of our spam is coming through chinese IP addresses !
    > We are using Spamassassin but it sometimes deletes good messages as do the blacklist
    > servers.


    No method is foolproof, and certainly not whole country blocking. If you
    want to do it though, the easiest way is probably to use a country DNSBL list
    e.g. http://countries.nerd.dk/



  3. Re: Ip address blocking by country

    We use the DNSBL list, and it works quite well.
    BUT those Chinese companies don't seem to get hit that hard


    --
    David B Turner

    =============================================

    Island Computers US Corp
    PO Box 86
    Tybee GA 31328

    Toll Free: 1-877 636 4332 x201, Mobile x251
    Email: dturner@islandco.com
    International & Local: (001)- 404-806-7749
    Fax: 912 786 8505
    Web: www.islandco.com

    =============================================
    "Richard Brodie" wrote in message
    news:fvuroa$6lb$1@south.jnrs.ja.net...
    >
    > "David Turner, Island Computers" wrote in message
    > news:5bCUj.488$Xv3.369@bignews4.bellsouth.net...
    >
    >> Seems most of our spam is coming through chinese IP addresses !
    >> We are using Spamassassin but it sometimes deletes good messages as do
    >> the blacklist servers.

    >
    > No method is foolproof, and certainly not whole country blocking. If you
    > want to do it though, the easiest way is probably to use a country DNSBL
    > list
    > e.g. http://countries.nerd.dk/
    >




  4. Re: Ip address blocking by country

    Hi Dave,

    > IP blocking.
    > Is this done on a regular basis?


    Subscribing to RBL lists will certainly cut a huge amount of spam. Many
    off the shelf spam boxes use these lists directly.

    As for blocking by country, yes if you're sure you'll never need mail
    from anyone in that country you could get away with it, but I think
    using appropriate RBLs is better.

    > We are using Spamassassin but it sometimes deletes good messages as do the
    > blacklist servers.


    The key here is 'delete'. We use RBLs so that we return a reject (550)
    code to incoming messages whose IP is on the list. We do it after the
    MAIL FROM and RCPT TO exchange, so we can log the sender and recipient
    address, which helps us track it when somebody says they were expecting
    a message from so-and-so (we use PMDF to do this). Genuine messages
    caught up in this (which are fairly rare if you choose the right lists)
    get a non-delivery notification so the message isn't lost.

    What we do if the message is judged to be spam by the next stage is to
    quarantine it, and send a summary notice to the recipient thrice daily
    showing what has been quarantined. That way the message is never
    deleted, and false positives can be retrieved and the sender address
    whitelisted. There will *always* be false positives in any spam
    filtering, so silently trashing messages will lead to genuine lost mail.

    > We are using 1 of the 4 blacklist servers on our mailserver but Brian here
    > is making me nervous as yesterday after doing some work we got almost no
    > emails.


    We use four different blacklist providers. Ideally you should log what
    you are rejecting.

    Incidentally we sell precisely this kind of filtering service (run on
    VMS machines of course, many of which you have provided!).

    ---------------------------------------------------------
    Tom Wade | EMail: tee dot wade at eurokom dot ie
    EuroKom | Tel: +353 (1) 296-9696
    A2, Nutgrove Office Park | Fax: +353 (1) 296-9697
    Rathfarnham | Disclaimer: This is not a disclaimer
    Dublin 14 | Tip: "Friends don't let friends do Unix !"
    Ireland

  5. Re: Ip address blocking by country

    David Turner, Island Computers wrote:

    > IP blocking.
    > Is this done on a regular basis?


    It can be, especially when you use the TCPIP SMTP stuff,
    which has rather limited filtering capability.

    > Seems most of our spam is coming through chinese IP addresses !


    When I get junk e-mail, I usually put its source IP
    address into:

    http://ws.arin.net/whois/

    which, for China, leads to:

    http://wq.apnic.net/apnic-bin/whois.pl

    A bit of exploration there can reveal some pretty large IP
    address ranges which are 100% Chinese.

    SMS.

  6. Re: Ip address blocking by country

    David Turner, Island Computers wrote:
    > Wrong NG?
    > maybe but I know people here are well versed in this.
    >
    > IP blocking.
    > Is this done on a regular basis?
    > Thought someone here would be able to answer.
    >
    > If so, what are the prefix IP addresses we should block?
    > Seems most of our spam is coming through chinese IP addresses !
    > We are using Spamassassin but it sometimes deletes good messages as do the
    > blacklist servers.
    > We are using 1 of the 4 blacklist servers on our mailserver but Brian here
    > is making me nervous as yesterday after doing some work we got almost no
    > emails.
    >
    > Comments?!?!
    >
    > DT
    >


    A good place to start would be the 218.0.0.0 mask 255.0.0.0 address
    family but ONLY if you have no Chinese customers.

    Do you deal with anyone at NEBS? I used to work for a subsidiary. NEBS
    installed a filter that bocked 99.44% of the spam we used to get.
    Don't know where it came from or what it cost but someone at NEBS should
    know.
    They are IBM mainframe, AS-400, and Sun Solaris users. No DEC.

    If all else fail, the message header should show where the message
    originated and how it got to your address. Blocking traffic for the
    origin or intermediate hops should cut down on the volume.

  7. Re: Ip address blocking by country


    "David Turner, Island Computers" wrote in message
    news:vACUj.498$Xv3.419@bignews4.bellsouth.net...

    > We use the DNSBL list, and it works quite well.


    I think you may have missed my point. If you really want
    to blacklist a whole country, there are DNSBL providers that
    will do the IP->country mapping for you.



  8. Re: Ip address blocking by country

    I don't have an extensive list, but:

    Bad-Clients: 220.144.0.0/16,
    200.45.190.0/23
    !
    ! Chinanet
    Bad-Clients: 58.0.0.0/8,
    59.0.0.0/8,
    60.0.0.0/8,
    218.66.0.0/15,
    220.160.0.0/11,
    220.192.0.0/10,
    221.0.0.0/8,
    222.0.0.0/8,
    61.12.0.0/16,
    61.206.0.0/16


    as well as:

    RBLs: combined.njabl.org
    RBLs: zen.spamhaus.org


    About the only spam I get these days is in russian cyrillic characters.

  9. Re: Ip address blocking by country

    Well, whatever we have done now (blocked out specific IP addresses
    221.3.*.*) seems to have done the trick, along with a few filters using
    DNSBL

    Seems 80% of the spam was coming from that prefix...
    In China of course...

    As we do almost no business in China, and the fact that most Chinese use
    gmail it won't be too much of an issue... Methinks most of China is Linux
    so...

    --
    David B Turner

    =============================================

    Island Computers US Corp
    PO Box 86
    Tybee GA 31328

    Toll Free: 1-877 636 4332 x201, Mobile x251
    Email: dturner@islandco.com
    International & Local: (001)- 404-806-7749
    Fax: 912 786 8505
    Web: www.islandco.com

    =============================================
    "Richard B. Gilbert" wrote in message
    news:XrqdnRfRUNLOhL7VnZ2dnUVZ_jqdnZ2d@comcast.com. ..
    > David Turner, Island Computers wrote:
    >> Wrong NG?
    >> maybe but I know people here are well versed in this.
    >>
    >> IP blocking.
    >> Is this done on a regular basis?
    >> Thought someone here would be able to answer.
    >>
    >> If so, what are the prefix IP addresses we should block?
    >> Seems most of our spam is coming through chinese IP addresses !
    >> We are using Spamassassin but it sometimes deletes good messages as do
    >> the blacklist servers.
    >> We are using 1 of the 4 blacklist servers on our mailserver but Brian
    >> here is making me nervous as yesterday after doing some work we got
    >> almost no emails.
    >>
    >> Comments?!?!
    >>
    >> DT
    >>

    >
    > A good place to start would be the 218.0.0.0 mask 255.0.0.0 address family
    > but ONLY if you have no Chinese customers.
    >
    > Do you deal with anyone at NEBS? I used to work for a subsidiary. NEBS
    > installed a filter that bocked 99.44% of the spam we used to get. Don't
    > know where it came from or what it cost but someone at NEBS should know.
    > They are IBM mainframe, AS-400, and Sun Solaris users. No DEC.
    >
    > If all else fail, the message header should show where the message
    > originated and how it got to your address. Blocking traffic for the
    > origin or intermediate hops should cut down on the volume.




  10. Re: Ip address blocking by country

    Got the point and we are considering blocking the whole country but we'll
    wait and see how much spam we get from now on...

    Thanks ! To Everyone..

    --
    David B Turner

    =============================================

    Island Computers US Corp
    PO Box 86
    Tybee GA 31328

    Toll Free: 1-877 636 4332 x201, Mobile x251
    Email: dturner@islandco.com
    International & Local: (001)- 404-806-7749
    Fax: 912 786 8505
    Web: www.islandco.com

    =============================================
    "Richard Brodie" wrote in message
    news:fvv5mt$9tf$1@south.jnrs.ja.net...
    >
    > "David Turner, Island Computers" wrote in message
    > news:vACUj.498$Xv3.419@bignews4.bellsouth.net...
    >
    >> We use the DNSBL list, and it works quite well.

    >
    > I think you may have missed my point. If you really want
    > to blacklist a whole country, there are DNSBL providers that
    > will do the IP->country mapping for you.
    >




  11. Re: Ip address blocking by country

    On Thu, 08 May 2008 09:18:59 -0700, David Turner, Island Computers
    wrote:

    > Got the point and we are considering blocking the whole country but we'll
    > wait and see how much spam we get from now on...
    >
    > Thanks ! To Everyone..
    >

    I usually just block class B IPs


    --
    PL/I for OpenVMS
    www.kednos.com

  12. Re: Ip address blocking by country

    JF Mezei wrote:
    > I don't have an extensive list, but:


    Ultra-exhaustive, I'd say.

    > ! Chinanet
    > Bad-Clients: 58.0.0.0/8,


    That alone would seem to stop big chunks of Japan,
    Australia, Thailand, Malaysia, Pakistan, India,
    Singapore, Vietnam, and I don't know what else.

    Great aim, there, JF. 58.32.0.0/11, perhaps,
    unless stopping all of Asia really was the goal.

  13. Re: Ip address blocking by country

    sms.antinode@gmail.com wrote:

    >> ! Chinanet
    >> Bad-Clients: 58.0.0.0/8,

    >
    > That alone would seem to stop big chunks of Japan,
    > Australia, Thailand, Malaysia, Pakistan, India,
    > Singapore, Vietnam, and I don't know what else.


    Didn't realise. I had gotten a spate of spam and had come from too wide
    a variety of IPs within that block.

    I'll probably have to look into those "block by country" RBLs listed
    earlier in this thread.

  14. Re: Ip address blocking by country

    In article ,
    "Tom Linden" writes:
    > On Thu, 08 May 2008 09:18:59 -0700, David Turner, Island Computers
    > wrote:
    >
    >> Got the point and we are considering blocking the whole country but we'll
    >> wait and see how much spam we get from now on...
    >>
    >> Thanks ! To Everyone..
    >>

    > I usually just block class B IPs


    Your not interested in business from American Universities?
    What possible mapping between Class B addresses and SPAM could there be?

    (We have and have had since the 80's a Class B address space here at
    UofS!)

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  15. Re: Ip address blocking by country

    On Sat, 10 May 2008 06:19:07 -0700, Bill Gunshannon
    wrote:

    > In article ,
    > "Tom Linden" writes:
    >> On Thu, 08 May 2008 09:18:59 -0700, David Turner, Island Computers
    >> wrote:
    >>
    >>> Got the point and we are considering blocking the whole country but
    >>> we'll
    >>> wait and see how much spam we get from now on...
    >>>
    >>> Thanks ! To Everyone..
    >>>

    >> I usually just block class B IPs

    > Your not interested in business from American Universities?
    > What possible mapping between Class B addresses and SPAM could there be?

    You took it out of context, chinese class B
    >
    > (We have and have had since the 80's a Class B address space here at
    > UofS!)
    >
    > bill
    >




    --
    PL/I for OpenVMS
    www.kednos.com

  16. Re: Ip address blocking by country

    "Tom Linden" writes:

    >On Sat, 10 May 2008 06:19:07 -0700, Bill Gunshannon
    >wrote:


    >> In article ,
    >> "Tom Linden" writes:
    >>> I usually just block class B IPs


    >> Your not interested in business from American Universities?
    >> What possible mapping between Class B addresses and SPAM could there be?


    >You took it out of context, chinese class B


    Class A/B/C addresses are just relics of the old way of allocating IP
    addresses. Nowadays they'll allocate IP addresses to organizations and
    countries on just about any netmask, not just /8 (Class A), /16 (Class B)
    and /24 (Class C). The old way was just wasteful, if a smallish company
    grew too big for a Class C, the next step (Class B) was excessively large.
    And if you look at who got Class A's under the old scheme, you kind of
    have to wonder what were they thinking.

    Allocations by country are widely scattered. You'll find China or some
    such have a /11 here, a /12 there, a /14 elsewhere etc. I discovered this
    when some Russian spammer starting forging the name of my VMS hobbyist
    system as the From: in his spam, and sent it out almost exclusively to
    Russian emails. I started getting swamped in backscatter from Russian
    systems and I wanted to block Russia as a country. There were at least
    100 netblocks assigned to Russia at the time.

  17. RE: Ip address blocking by country

    > -----Original Message-----
    > From: Michael Moroney [mailto:moroney@world.std.spaamtrap.com]
    > Sent: May 10, 2008 11:34 AM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: Ip address blocking by country
    >
    > "Tom Linden" writes:
    >
    > >On Sat, 10 May 2008 06:19:07 -0700, Bill Gunshannon

    >
    > >wrote:

    >
    > >> In article ,
    > >> "Tom Linden" writes:
    > >>> I usually just block class B IPs

    >
    > >> Your not interested in business from American Universities?
    > >> What possible mapping between Class B addresses and SPAM could there

    > be?
    >
    > >You took it out of context, chinese class B

    >
    > Class A/B/C addresses are just relics of the old way of allocating IP
    > addresses. Nowadays they'll allocate IP addresses to organizations and
    > countries on just about any netmask, not just /8 (Class A), /16 (Class
    > B)
    > and /24 (Class C). The old way was just wasteful, if a smallish
    > company
    > grew too big for a Class C, the next step (Class B) was excessively
    > large.
    > And if you look at who got Class A's under the old scheme, you kind of
    > have to wonder what were they thinking.
    >
    > Allocations by country are widely scattered. You'll find China or some
    > such have a /11 here, a /12 there, a /14 elsewhere etc. I discovered
    > this
    > when some Russian spammer starting forging the name of my VMS hobbyist
    > system as the From: in his spam, and sent it out almost exclusively to
    > Russian emails. I started getting swamped in backscatter from Russian
    > systems and I wanted to block Russia as a country. There were at least
    > 100 netblocks assigned to Russia at the time.


    And lets not forget that NA is falling behind continents like Asia and
    to a somewhat lesser degree, Europe in terms of IPV6 deployments.

    Apparently, China Olympics this year is based on IPV6.

    http://www.conference.cn/ipv6/2005/i...angyanqing.pdf

    http://tinyurl.com/5ntol2 (CNN.com)

    Internet Strategy: China's Next Generation Internet
    http://tinyurl.com/555wm3 (CIO Magazine)

    http://tinyurl.com/6cxccu (News.com -2004)

    DoD is apparently mandating (or in the process of) a IPV6 deployment ASAP.

    Hence, all this discussion about blocking IPV4 addresses may not be as
    effective as one might think.

    :-)


    Regards

    Kerry Main
    Senior Consultant
    HP Services Canada
    Voice: 613-254-8911
    Fax: 613-591-4477
    kerryDOTmainAThpDOTcom
    (remove the DOT's and AT)

    OpenVMS - the secure, multi-site OS that just works.







  18. Re: Ip address blocking by country

    Michael Moroney wrote:

    > Allocations by country are widely scattered.



    It gets worse. At least one ISP in Australia is owned by a large telecom
    firm in the USA, and they are handing out USA IP addresses to their
    australian customers. (ozemail if I remember right).

  19. Re: Ip address blocking by country

    In article <4826027d$0$20536$c3e8da3@news.astraweb.com>,
    JF Mezei writes:
    > Michael Moroney wrote:
    >
    >> Allocations by country are widely scattered.

    >
    >
    > It gets worse. At least one ISP in Australia is owned by a large telecom
    > firm in the USA, and they are handing out USA IP addresses to their
    > australian customers. (ozemail if I remember right).



    There is no such thing as a "USA IP address". IP is not now and never
    has been geographic.

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  20. Re: Ip address blocking by country

    Bill Gunshannon wrote:
    > In article <4826027d$0$20536$c3e8da3@news.astraweb.com>,
    > JF Mezei writes:
    >> Michael Moroney wrote:
    >>
    >>> Allocations by country are widely scattered.

    >>
    >> It gets worse. At least one ISP in Australia is owned by a large telecom
    >> firm in the USA, and they are handing out USA IP addresses to their
    >> australian customers. (ozemail if I remember right).

    >
    >
    > There is no such thing as a "USA IP address". IP is not now and never
    > has been geographic.


    True. However stupid or lazy system admins still persist in believing
    that because "BigISP.com llc" is a US company, all its subsidiaries,
    wherever they may be registered and irrespective of where they are
    operating, must also be domestic US operations.

    Thus, for a fair while, the BBC thought that all virginmedia.com
    customers were in the US and refused to let them watch video clips.

    D'oh.

+ Reply to Thread
Page 1 of 2 1 2 LastLast