how to block ranges of IPs for ISPs and countries

Question asked by Eric Bourland - 12/3/2014 at 4:45 AM

Answered

SmarterMail 13

Good morning.

Scarab posted a very useful comment about blocking IP addresses of particular countries and also particular IP ranges that belong to particular ISPs that tend to host large numbers of spammers.

http://portal.smartertools.com/Main/frmThread.aspx?threadid=833

That was a very helpful post but I am not sure how to follow up on it and thought I would start a new thread and get some ideas.

I would like to implement a few of these weights and see what effect that has on permanently blocking some spammers. But I am not sure how to:

1) derive IP address blocks for ISPs whom I would like to block
2) derive IP address blocks for countries whom I would like to block

For starters, I would like to block incoming mail from:

    Chile (CL)
    Bulgaria (BG)
    Romania (RO)
    Russia (RU)
    India (IN)
    Ukraine (UA)
    Malaysia (MY)
    Turkey (TR)
    Slovakia
    Czech Republic
    Serbia
    Croatia
    Hungary

I would also like to block incoming mail from some of these guys:

    Psychz Networks
    Krypt Technologies
    B2 Net Solutions Inc.
    Eonix Corporation
    Email Ocean
    Host Sailor Ltd
    Worldstream
    Toqen LLC
    Interactive 3D B.V.
    Limestone Networks, Inc.

I see the interface in SmarterMail 13 where I can block ranges of IP addresses: Security ---> Blacklist.

How can I derive correct values for IP ranges to block, for countries and for ISPs?

Thank you for your ideas.

Eric

20 Replies

Reply to Thread

Hany Sobhy Replied

12/3/2014 at 9:55 AM

days ago I needed to know some IP ranges for specific countries and used http://services.ce3c.be/ciprg/ to get list and double checked with other sites like http://www.ipdeny.com/ipblocks/

not sure if it's accurate or updated was just trying to find something

There are also

Block Visitors by Country Using Firewall :

http://www.ip2location.com/free/visitor-blocker

Block Country IP Ranges

http://incredibill.me/htaccess-block-country-ips

Eric Bourland Replied

12/4/2014 at 12:02 PM

Hany, thanks for this. I've been trying to use WHOIS and ARIN to get accurate IP ranges. I don't want to block IP ranges that should not be blocked.

I will work on this .... thanks again for your help.

Eric

Eric Bourland Replied

12/4/2014 at 3:07 PM

This program has proved helpful:

http://nirsoft.net/utils/ipnetinfo.html

Lately I am getting hit by a bunch of addresses from *.in.net. For example:

df7t.in.net

kpd8.in.net

hophember.in.net

cleonsigion.in.net

... and on and on, from a varying range of IP addresses. I wish there were a way to permanently block all mail from a given domain such as in.net.

Joe Wolf Replied

12/4/2014 at 6:39 PM

Marked As Answer

You can use geobl.spameatingmonkey.net RBL to accomplish this very easily.

http://spameatingmonkey.com/lists.html Then check out the GEM-GEOBL list. You do have to register with them, but you can create a single RBL test to block any country or countries you want.

-Joe

Thanks, -Joe

Eric Bourland Replied

12/5/2014 at 4:59 AM

Joe, thanks for that. I will try it out.

I am following this structure: <reversed ip>.b[block_list].[server id].geobl.spameatingmonkey.net

per http://spameatingmonkey.com/geobl/usage.html

Interesting. Looks like my config will be:

179.188.210.205.bae_al_ao_az_ba_bg_cn_cz_de_hr_hu_iq_ir_kg_kp_kr_lt_lv_md_mk_pk_ro_rs_tm_sk_si_ua.3453140147.geobl.spameatingmonkey.net

I will let you know what I find out. Thanks very much for this idea.

Eric

Joe Wolf Replied

12/5/2014 at 7:09 AM

I think you have the format incorrect... SmarterMail will prefix the IP Address. Here's an example of what we use under certain circumstances:
ng_pl_ro_ru_ua_vn_1234567890.geobl.spameatingmonkey.net

The middle number being our registration number so we can track the hits, etc., but you may be able to use it without registration. The above could be used for SMTP Blocking or assigning a spam weight to a message that originates from the countries you select. In our example we include Nigeria, Poland, Romania, Russia, Ukraine, and Vietnam.

Here's the list of country codes: http://spameatingmonkey.com/geobl/usage.html#countries

-Joe

Thanks, -Joe

Eric Bourland Replied

12/5/2014 at 7:11 AM

Joe, thank you. I will fix this. Eric

Eric Bourland Replied

12/5/2014 at 7:12 AM

Also I did register with SEM.

Tony Mazzullo Replied

12/5/2014 at 12:52 PM

How is this setup using the RBL wizard within Smartermail? I am a novice admin and read the info but am not sure how to use with the RBL setup within Smartermail
Thanks

Joe Wolf Replied

12/5/2014 at 1:11 PM

In SmarterMail select Security, Anitspam Administration, then click Add RBL. For the Name and Description you can use whatever you want to call it (we use Country Blocked). For Weight you have to decide what weight you want to apply to the message if it fails the test (the message comes from a country you want to block).

For Hostname it will be different depending on what countries you want to add spam weight or block. I posted the country code lists URL above. So the format for hostname would be the country or countries you want to block (separated by an underscore, then an underscore and your account number then .geobl.spameatingmonkey.net

Required Lookup Value is 127.0.0.2 and check the Enabled box. Then hit Save. Then you have to check the Enable for Filtering and/or SMTP Blocking just like every other RBL.

So, for example, if your account number at spameatingmonkey.net is 123456 and you want to block China and Vietnam the Hostname line would be: cn_vn_123456.geobl.spameatingmonkey.net

For additional countries you just add them to the beginning of the Hostname line. You can even block entire continents if you choose.

Hope this helps,
-Joe

Thanks, -Joe

Tony Mazzullo Replied

12/5/2014 at 1:20 PM

Thank you for clarifying Joe. This is a great community and I am glad to be learning so much from you all.

Eric Bourland Replied

12/6/2014 at 8:41 AM

I also get 0 connections when I look at my SEM user page: http://spameatingmonkey.com/geobl/userhome.html

The hostname I use is: ae_al_ao_az_ba_bg_by_cn_cz_de_hr_hu_iq_ir_kg_kp_kr_lt_lv_md_mk_ng_pk_pl_ro_rs_ru_tm_sk_si_ua_vn.3453140147.geobl.spameatingmonkey.net

Joe, I really appreciate the careful instructions you posted. I've also done a lot of reading in the Spam Eating Monkey site. Does this configuration look right to you, and do you ever get a value for connections other than zero when you view your statistics at SEM? SEM user page: http://spameatingmonkey.com/geobl/userhome.html

Thanks for your help. =)

Eric

Joe Wolf Replied

12/6/2014 at 2:29 PM

Looks OK to me. No, my statistics don't show online. If you're using it for SMTP Blocking then search your SMTP logs for the following string:

Mail rejected due to SMTP Spam Blocking:

You can then see what tests are most effective for your SMTP Blocking strategy.

If you're not using the test for SMTP Blocking then you'll have to search the Delivery log for the Name of the test and see if it's triggering.

-Joe

Thanks, -Joe

Eric Bourland Replied

12/6/2014 at 3:15 PM

Got it!

Thanks again, Joe.

Tony Mazzullo Replied

12/8/2014 at 6:38 AM

Mine was tested over the weekend and I found out something interesting in order to get it to work and publish stats to your profile page you need to have a b in the front.
My Hostname that has worked very well so far:
bafrica_antarctica_asia_europe_oceania_south-america.1213057430.geobl.spameatingmonkey.net

Eric Bourland Replied

12/8/2014 at 9:25 AM

Tony, thanks for that. I will try it out. Eric

Eric Bourland Replied

12/9/2014 at 6:16 AM

Blocking of countries seems to be working well. Thank you again to Joe and Tony and the other folks who have responded to this thread.

I am still getting hammered hard by spam from *.in.net:

dumarram.in.net
chinambe.in.net
nve9.in.net
urd9.in.net
cleonsigion.in.net
hophember.in.net
kpd8.in.net
df7t.in.net
ameryucke.in.net
nd3b.in.net
hourenry.in.net
fn3m.in.net

And these guys are spammers from within the US. Any ideas about how I can block these guys?

Thank you again for your help.

Eric

Tony Mazzullo Replied

12/17/2014 at 11:49 AM

Hows your stats looking Eric?

Tony Mazzullo Replied

12/17/2014 at 11:51 AM

I am seeing the same thing. Between the .eu domain emails and the in.net I am still getting hammered with spam. About to throw my hands up in the air and give up. Filtering spam should not be so time consuming and difficult.

Eric Bourland Replied

12/17/2014 at 12:04 PM

Hey Tony. I'm still getting hammered. Yep, it's in.net and .eu. I've paid (I believe) careful attention to the antispam methods recommended by SmarterTools and by very helpful discussions on this community board. I've fine-tuned SmarterMail 13.1 like it's an antique sports car. I'm still getting bombed like it's London, 1940. Not sure what else to do. Looking at other options besides SmarterMail. =( Good luck. Let me know if you learn anything. E

Back to Community Threads

Please leave this box unchecked

20 Replies

Reply to Thread

Tags

Related Knowledge Base Articles