1
how to block ranges of IPs for ISPs and countries
Question asked by Eric Bourland - 12/3/2014 at 4:45 AM
Answered
SmarterMail 13
 
Good morning.
 
Scarab posted a very useful comment about blocking IP addresses of particular countries and also particular IP ranges that belong to particular ISPs that tend to host large numbers of spammers.
 
http://portal.smartertools.com/Main/frmThread.aspx?threadid=833
 
That was a very helpful post but I am not sure how to follow up on it and thought I would start a new thread and get some ideas.
 
I would like to implement a few of these weights and see what effect that has on permanently blocking some spammers. But I am not sure how to:
 
1) derive IP address blocks for ISPs whom I would like to block
2) derive IP address blocks for countries whom I would like to block
 
For starters, I would like to block incoming mail from:
    Chile (CL)
    Bulgaria (BG)
    Romania (RO)
    Russia (RU)
    India (IN)
    Ukraine (UA)
    Malaysia (MY)
    Turkey (TR)
    Slovakia
    Czech Republic
    Serbia
    Croatia
    Hungary
    
I would also like to block incoming mail from some of these guys:
    Psychz Networks
    Krypt Technologies
    B2 Net Solutions Inc.
    Eonix Corporation
    Email Ocean
    Host Sailor Ltd
    Worldstream
    Toqen LLC
    Interactive 3D B.V.
    Limestone Networks, Inc.
 
I see the interface in SmarterMail 13 where I can block ranges of IP addresses: Security ---> Blacklist.
How can I derive correct values for IP ranges to block, for countries and for ISPs?
 
Thank you for your ideas.
 
Eric

20 Replies

Reply to Thread
1
Hany Sobhy Replied
days ago I needed to know some IP ranges for specific countries and used http://services.ce3c.be/ciprg/ to get list and double checked with other sites like http://www.ipdeny.com/ipblocks/
not sure if it's accurate or updated was just trying to find something
 
There are also
Block Visitors by Country Using Firewall :
http://www.ip2location.com/free/visitor-blocker
 
Block Country IP Ranges
http://incredibill.me/htaccess-block-country-ips
0
Eric Bourland Replied
Hany, thanks for this. I've been trying to use WHOIS and ARIN to get accurate IP ranges. I don't want to block IP ranges that should not be blocked.

I will work on this .... thanks again for your help.

Eric
0
Eric Bourland Replied
This program has proved helpful:
 
http://nirsoft.net/utils/ipnetinfo.html
 
Lately I am getting hit by a bunch of addresses from *.in.net. For example:
 
df7t.in.net
kpd8.in.net
hophember.in.net
cleonsigion.in.net
 
... and on and on, from a varying range of IP addresses. I wish there were a way to permanently block all mail from a given domain such as in.net.
2
Joe Wolf Replied
Marked As Answer
You can use geobl.spameatingmonkey.net RBL to accomplish this very easily.
 
http://spameatingmonkey.com/lists.html  Then check out the GEM-GEOBL list.  You do have to register with them, but you can create a single RBL test to block any country or countries you want.
 
-Joe
Thanks, -Joe
0
Eric Bourland Replied
Joe, thanks for that. I will try it out.
 
I am following this structure: <reversed ip>.b[block_list].[server id].geobl.spameatingmonkey.net
 
per http://spameatingmonkey.com/geobl/usage.html
 
Interesting. Looks like my config will be:
 
179.188.210.205.bae_al_ao_az_ba_bg_cn_cz_de_hr_hu_iq_ir_kg_kp_kr_lt_lv_md_mk_pk_ro_rs_tm_sk_si_ua.3453140147.geobl.spameatingmonkey.net
 
I will let you know what I find out. Thanks very much for this idea.
 
Eric
0
Joe Wolf Replied
I think you have the format incorrect... SmarterMail will prefix the IP Address. Here's an example of what we use under certain circumstances:
ng_pl_ro_ru_ua_vn_1234567890.geobl.spameatingmonkey.net

The middle number being our registration number so we can track the hits, etc., but you may be able to use it without registration. The above could be used for SMTP Blocking or assigning a spam weight to a message that originates from the countries you select. In our example we include Nigeria, Poland, Romania, Russia, Ukraine, and Vietnam.

Here's the list of country codes: http://spameatingmonkey.com/geobl/usage.html#countries

-Joe
Thanks, -Joe
0
Eric Bourland Replied
Joe, thank you. I will fix this. Eric
0
Eric Bourland Replied
Also I did register with SEM.
0
Tony Mazzullo Replied
How is this setup using the RBL wizard within Smartermail? I am a novice admin and read the info but am not sure how to use with the RBL setup within Smartermail
Thanks
0
Joe Wolf Replied
In SmarterMail select Security, Anitspam Administration, then click Add RBL. For the Name and Description you can use whatever you want to call it (we use Country Blocked). For Weight you have to decide what weight you want to apply to the message if it fails the test (the message comes from a country you want to block).

For Hostname it will be different depending on what countries you want to add spam weight or block. I posted the country code lists URL above. So the format for hostname would be the country or countries you want to block (separated by an underscore, then an underscore and your account number then .geobl.spameatingmonkey.net

Required Lookup Value is 127.0.0.2 and check the Enabled box. Then hit Save. Then you have to check the Enable for Filtering and/or SMTP Blocking just like every other RBL.

So, for example, if your account number at spameatingmonkey.net is 123456 and you want to block China and Vietnam the Hostname line would be: cn_vn_123456.geobl.spameatingmonkey.net

For additional countries you just add them to the beginning of the Hostname line. You can even block entire continents if you choose.

Hope this helps,
-Joe
Thanks, -Joe
0
Tony Mazzullo Replied
Thank you for clarifying Joe. This is a great community and I am glad to be learning so much from you all.
0
Eric Bourland Replied
I also get 0 connections when I look at my SEM user page: http://spameatingmonkey.com/geobl/userhome.html
 
The hostname I use is: ae_al_ao_az_ba_bg_by_cn_cz_de_hr_hu_iq_ir_kg_kp_kr_lt_lv_md_mk_ng_pk_pl_ro_rs_ru_tm_sk_si_ua_vn.3453140147.geobl.spameatingmonkey.net
 
Joe, I really appreciate the careful instructions you posted. I've also done a lot of reading in the Spam Eating Monkey site. Does this configuration look right to you, and do you ever get a value for connections other than zero when you view your statistics at SEM? SEM user page: http://spameatingmonkey.com/geobl/userhome.html

Thanks for your help. =)

Eric
 
0
Joe Wolf Replied
Looks OK to me. No, my statistics don't show online. If you're using it for SMTP Blocking then search your SMTP logs for the following string:

Mail rejected due to SMTP Spam Blocking:

You can then see what tests are most effective for your SMTP Blocking strategy.

If you're not using the test for SMTP Blocking then you'll have to search the Delivery log for the Name of the test and see if it's triggering.

-Joe
Thanks, -Joe
0
Eric Bourland Replied
Got it!

Thanks again, Joe.
0
Tony Mazzullo Replied
Mine was tested over the weekend and I found out something interesting in order to get it to work and publish stats to your profile page you need to have a b in the front.
My Hostname that has worked very well so far:
bafrica_antarctica_asia_europe_oceania_south-america.1213057430.geobl.spameatingmonkey.net
0
Eric Bourland Replied
Tony, thanks for that. I will try it out. Eric
0
Eric Bourland Replied
Blocking of countries seems to be working well. Thank you again to Joe and Tony and the other folks who have responded to this thread.
 
I am still getting hammered hard by spam from *.in.net:
 
dumarram.in.net
chinambe.in.net
nve9.in.net
urd9.in.net
cleonsigion.in.net
hophember.in.net
kpd8.in.net
df7t.in.net
ameryucke.in.net
nd3b.in.net
hourenry.in.net
fn3m.in.net
 
And these guys are spammers from within the US. Any ideas about how I can block these guys?
 
Thank you again for your help.
 
Eric
0
Tony Mazzullo Replied
Hows your stats looking Eric?
0
Tony Mazzullo Replied
I am seeing the same thing. Between the .eu domain emails and the in.net I am still getting hammered with spam. About to throw my hands up in the air and give up. Filtering spam should not be so time consuming and difficult.
0
Eric Bourland Replied
Hey Tony. I'm still getting hammered. Yep, it's in.net and .eu. I've paid (I believe) careful attention to the antispam methods recommended by SmarterTools and by very helpful discussions on this community board. I've fine-tuned SmarterMail 13.1 like it's an antique sports car. I'm still getting bombed like it's London, 1940. Not sure what else to do. Looking at other options besides SmarterMail. =( Good luck. Let me know if you learn anything. E

Reply to Thread