Agreed -- geoIP databases need the ability to be updated "externally" either via button in the admin for an "upgrade check" -- or as noted above - for operators to use their own paid databases. I'd be willing to contribute a convertor if the data formats are available.

We use ipinfo.io for our IP to country feeds and have found better numerous differences between SM's data and what we retrieve online from our provider.  Further investigation in most of those cases shows SM data being out of date.

Would be great to be able to set a CRON job as well regarding update interval of the said lists....

Does it add a log entry that an IP is "auth blocked by country"? 

I'm still seeing login attempts (unsuccessful) from China despite it being blocked?

Or will it only block login if the attempt is successful? 

ie, when does this block kick in?

[2024.01.17] 10:10:55.418 [59.46.193.187][47860066] Country code: CN

[2024.01.17] 10:10:58.093 [59.46.193.187][47860066] cmd: EHLO [59.46.193.187]

[2024.01.17] 10:10:59.425 [59.46.193.187][47860066] cmd: AUTH LOGIN

[2024.01.17] 10:11:00.780 [59.46.193.187][47860066] Authenticating as ..

It doesn't actually block.

It just prevents the AUTH and RCPT TO commands if they're from a blocked country.

They can continue to beat on your server forever (consuming bandwidth and processor) - it will respond with 421 SERVER BUSY - but it will never "block" them or reject their communications.

The problem with this is if they figure out it's a country block and can figure out what country isn't blocked (usually based on the server IPs location) they just fire up a VPN and go at you again.

USe your firewall for that. Then they wouldnt get a response at all.

We do.

We added a third party solution that monitors the logs for several things and block at the firewall.

We saw close to a 30% drop in SMTP bandwidth by firewalling the abusive IPs instead of continuing to entertain them.

Only way forward and the server loves it :)

We manually add to the firewall from time to time. We've been looking for a way to automate this - what is the third party solution you are using to monitor the logs and adds the IPs to the firewall blocks? And what firewall are you using that allows this? 

We use lists from Maxmind.

Our firewall is my own design based on Linux.

I am blocking the IPs indicated in these bl on the fw

and so far I have not encountered any problems

https://www.spamhaus.org/drop/drop.txt  

IPBan by Digital Ruby (runs on Linux and Windows).

https://ipban.com/ 

We strictly use the log scanning and block based on hits in the log. We still rely on SM's IDS to actually do the detections (hence the issues with outdated IP lists). There isn't much "breathing room" on configuration - you can regex anything together you want to scan for.  We're setup that when a hit is found, block on the first occurrence based on what we scan for. Your mileage may vary but at the very least it takes something from the SM logs and firewalls it. We use the base license for one server (personal, basically) and do not use the "extra features" -- If you have multiple servers to protect there are options for that.

No, I do not receive any endorsement.  My naming of a product is solely by usage and utility.

It would be great to collect a list for smartermail reported spam email.

So a reported domain/email goes on a central list for smartermail customers and everyone gets an updated list every hour like we have now.

That way we would get rid of spam very very quickly since we could block many things in the SMTP conversation alone before hitting the spam checks.