Back to Community Threads
1
SMTP - country of origin, How do you do that ?
Question asked by Curtis Kropar www.HawaiianHope.org - 10/22/2024 at 3:15 AM
Unanswered
In the SMTP logs, I now see "Country Code : " - I never took notice of this before.
1) When was this put in ?
2) SmarterPeeps... HOW do you accomplish that ? What tool are you using to generate this ?  Is this something you built or is this a tool available to the public ?

We have pfBlocking on our firewall with Geo IP blocking and even though we have piles of countries blocked (CN, NL, TR, RU) - you can see they are still getting through, BUT, your SMTP here is properly identifying them.

I want some way to accurately block inbound traffic from a variety of places at our firewall level. I see this and I now think I can export a report to excel and run some queries to pull out IP's from countries I want to block, but wondering if we can just integrate that tool directly to our firewall instead of me doing a song and dance work around.

[2024.10.22] 00:10:00.833 [45.148.10.50][52383233] Country code: NL
[2024.10.22] 00:10:37.056 [45.148.10.50][20258366] Country code: NL
[2024.10.22] 00:13:05.243 [220.246.43.233][61278381] Country code: HK
[2024.10.22] 00:13:19.294 [178.70.243.35][54515413] Country code: RU
[2024.10.22] 00:13:56.060 [114.251.109.35][54996657] Country code: CN
[2024.10.22] 00:14:06.629 [87.120.218.157][11094627] Country code: IT
[2024.10.22] 00:14:09.054 [223.82.241.89][57627059] Country code: CN
[2024.10.22] 00:14:16.627 [78.154.31.59][32237079] Country code: BG
[2024.10.22] 00:14:54.550 [116.114.84.170][59080338] Country code: CN
[2024.10.22] 00:15:05.037 [5.11.164.165][62718108] Country code: TR
[2024.10.22] 00:16:54.490 [65.20.205.197][54067822] Country code: IQ
[2024.10.22] 00:17:01.872 [180.168.119.2][43875323] Country code: CN
[2024.10.22] 00:17:07.424 [82.19.12.103][50121484] Country code: GB
[2024.10.22] 00:17:14.049 [121.138.168.221][2614807] Country code: KR
[2024.10.22] 00:17:30.109 [121.202.201.109][43792550] Country code: HK

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

17 Replies

Reply to Thread
0
Pfsense with pfblockerNG is what you want.
0
Brian, That is what we already have. I have Africa blocked, Europe blocked, Asia blocked. Stuff still getting through. Unless I have something set up wrong. but some stuff seems blocked and other stuff not.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
J. LaDow Replied
10/22/2024 at 8:16 AM
SmarterMail uses a static database that gets updated (hopefully) whenever SM is updated.  That is where the country code lookups are coming from.  I'm almost positive the databases are from MaxMind - but not sure what the "manual update" procedure would be as we skipped all that entirely with our own IDS solution.

In the past, we have seen many inconsistencies in the IP space between SM and our outside providers - mainly because assignments are always changing.  

We use DigitalRuby IPBan Pro to handle our geo blocking and log scanning blocks and ipinfo.io for updated GeoIP information data.
MailEnable survivor / convert --
1
Its the SMTP servers that you need to find and block. They can easily use an SMTP in a non-blocked country.
1
Ray Burd Replied
10/22/2024 at 8:38 AM
Employee Post
Hello,
J LaDow is correct, we use MaxMind for our Geo IP database. You should be able to integrate the MaxMind database (typically in .mdb format). You may need to create an account with MaxMind to download the GeoLite2 database, but you should then be able to login to your pfSense web interface and go to Diagnostics > Command Prompt - You can use scp or sftp to transfer the database file to /usr/local/share/GeoIP/ - Then it should just be a matter of switching the database used under Firewall > pfBlockerNG > GeoIP - Under GeoIP Settings > make sure its pointing to the new database.
Ray Burd System/Network Administrator SmarterTools Inc. www.smartertools.com
1
HI All. Thanks , but pfBlockingNG uses maxmind. We had to set up an account on their service to use pfBlocking.  Let me look into this more.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
J. LaDow Replied
10/23/2024 at 9:24 AM
If you're already using MaxMind and there is "location difference" between the IP space -- then the reasonable cause is that the two databases are different and one is newer.  I don't know how often SM pulls fresh databases from MaxMind but I would at least hope they are included in each installer.  Even at that rate - you're limited to whenever you update SM - while the IP space changes daily.

I would check the frequency at which your pfBlockingNG pulls updated databases because it will most likely be much more often than you update your SM install.

GeoIP data should have a seperate update feature that runs more often than server installs.  ClamAV at least does this much (but it's update mechanism is self-managed - not by SM).

If it was me, I'd be looking into how I could automatically pull the DBs from your MaxMind account and drop in SM since you have one.
MailEnable survivor / convert --
1
Hey J.
Sorry, I may have presented that backwards.  SM seems to be more accurate than our firewall. It Identifies things that our firewall seems to miss. But I will check into this.
Anyone from SmarterTools can shed some light ?
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
1
Tony Scholz Replied
10/23/2024 at 3:27 PM
Employee Post
Hello, 

Correct, we do use MaxMind and the Database should be upgraded with each build. This is complied into a GeoIP.dat file that gets installed when the installer is ran. 

Here is a demo page that you can use to see what the current MaxMind DB returns 

Thank you
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
3
We need a feature to run an update to that list every x hours.

In Pfsense we use CRON to run an update every 3 hours
0
Jay Dubb Replied
10/24/2024 at 2:11 PM
We would like the ability to block inbound SMTP by country, too.  We have some spam honeypots and review the IPs where the prolific junk comes from, and we've seen a disproportionate amount recently from IP space in Eastern EU and the Middle East. Manually adding offenders to the SM blacklist is tedious, narrow focused, and is constant whack-a-mole.  It would sure be nice to have the option of letting Smartermail block inbound SMTP by country.
 
0
Jay, What build are you running ?  It is actually already in there. 
Log in as system admin, go to settings, general and then you find it in the very bottom right corner.  
We have blocking set up on our pfSene firewall too, but it seems to miss a lot of stuff that SM then catches. I am trying to make our firewall have better success.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
J. LaDow Replied
10/26/2024 at 9:09 AM
I believe he's talking about Inbound SMTP mail, not users -- not "authorized SMTP" connections for users to send out on.

SM doesn't have a feature to block inbound SMTP by country.  You have to resort to an external firewall that supports country blocking.  That's what we use in the products I've mentioned in other threads - and where our issues came up that we were seeing the GeoIP database doesn't have internal updates feature - it only updates when SM does, not in the fashion that say ClamAV does (where it updates itself).
MailEnable survivor / convert --
1
Jay Dubb Replied
10/29/2024 at 11:57 AM
J. LaDow is correct-- I was referring to inbound SMTP delivery from the world, not authentication using credentials.  We want the ability to block <hostile-country> without having to dig manually for all the IP spaces associated with that country.
 
1
A very nice way to do it, would be to block AS numbers....

That way the IP isnt really that important and it would block IP6 as well.
1
Ok, Wait. I just looked at that again.
So, That blocking that I pointed out does not block inbound emails at all ?  I see NOW that it says authentication. But I thought this blocked all SMTP Traffic ? So it skips inbound emails and only looks at attempts to log in and authenticate as an actual user ? Am I now understanding that properly ?
If so, that sounds kind of half assed.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
J. LaDow Replied
10/29/2024 at 6:55 PM
That's exactly how it works.  

The only way to get AS blocking (which is one of the methods we use) or true country blocking on ALL aspects is via external solution.
MailEnable survivor / convert --
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Configure Outlook 2007 IMAP or POP AccountSmarterMail > Desktop and Mobile Synchronization
Configure Outlook 2010 IMAP or POP AccountSmarterMail > Desktop and Mobile Synchronization
Configure POP for iPhone, iPad or iPod TouchSmarterMail > Desktop and Mobile Synchronization
Resolving SMTP Failures on AWS-based ServerSmarterMail > Server Configuration and Management