Re: [exim] Using GeoIP to block spammers - anyone?

Top Page
Delete this message
Reply to this message
Author: Chris Lightfoot
Date:  
To: Odhiambo G. Washington, exim-users
Subject: Re: [exim] Using GeoIP to block spammers - anyone?
On Fri, Jun 23, 2006 at 07:21:07PM +0300, Odhiambo G. Washington wrote:
> * On 22/06/06 19:10 +0100, Chris Lightfoot wrote:
> | On Thu, Jun 22, 2006 at 08:37:01PM +0300, Odhiambo G. Washington wrote:
> | > Hello pple,
> | > 
> | > I have have a server which is where all deliveries are done. This server 
> | > is not advertised "anymore" in DNS, but spammers are still sending to 
> | > it in defiance of my TTL from DNS configuration.
> | > I know that most of my clients who use this server are located within
> | > my country (damn Kenya!).
> | > 
> | > I now want to block all connections to this server which originate 
> | > outside my country.
> | > 
> | > I have hit google hard and found two projects that were geared towards
> | > introducing the complexities (yes) of using GeoIP within Exim.
> | > 
> | > http://botanicus.net/dw/exim-python/exim-4.60py1.html
> | > http://pookey.co.uk/exim-geoip.xml
> | > 
> | > One seems recent enough, but both seem like they are un-maintained.
> | > I am running Exim 4.62 on all my servers.
> | > 
> | > Is there anyone out there using another variant of GeoIP blocking with 
> | > Exim that they'd be willing to share with the community (me ;))?
> | 
> | this strikes me as a really bad idea, but as with many
> | really bad ideas, it's trivial to implement in perl. grab
> | the Geo::IP perl module, and then put
> | 
> |     use Geo::IP;
> | 
> |     sub get_country_code_from_ip ($) {
> |         my $ip = shift;
> |         our $geoip;
> |         $geoip ||= new Geo::IP(GEOIP_STANDARD);
> |         return $geoip->country_code_by_addr($ip);
> |     }
> | 
> | in your startup perl module, then use,
> | 
> |     ${perl{get_country_code_from_ip}{$host_address}}
> | 
> | to obtain the country code in a string expansion.

>
>
> How bad an idea is it. Chris?


three completely general issues -- firstly, be suspicious
of any IP-address-based anti-spam scheme; secondly,
IP-to-country data are notoriously inaccurate (do you want
to have to deal with the support calls?); thirdly, this is
a big database of stuff under somebody else's control, so
if it produces the `wrong' answer fixing it is a problem.

I don't think I fully understand the situation you've
described, though -- you have some machine which is a
message-submission SMTP server, which is no longer
advertised in DNS, but which certain of your customers are
still using (presumably having recorded its literal IP
address)? What would be wrong with one of the following:

  - refuse all connections with an explanatory error
    message (``this machine is now out of service, change
    the SMTP server setting in your software to
    new.name.of.machine'');


- forward traffic from the old to the new IP; or

  - try to contact all the legitimate users based on the
    logged senders, then do the first.


But I don't understand why this is a spam problem? Does
the machine accept both outgoing (submission) connections
from your customers and incoming (delivery) connections
from the spammers? If so, and if the machine is no longer
listed in DNS as an incoming relay, why not just use an
ACL to prohibit any relaying from external IPs?

I've clearly missed something here, since I don't
understand what IP-to-country mapping has to do with it.

--
``Because that's where the money is.''
(Willie Sutton, explaining why he robbed banks)