Re: [exim] Using GeoIP to block spammers - anyone?

Página Inicial
Delete this message
Reply to this message
Autor: Odhiambo G. Washington
Data:  
Para: exim-users
Assunto: Re: [exim] Using GeoIP to block spammers - anyone?
* On 22/06/06 19:10 +0100, Chris Lightfoot wrote:
| On Thu, Jun 22, 2006 at 08:37:01PM +0300, Odhiambo G. Washington wrote:
| > Hello pple,
| > 
| > I have have a server which is where all deliveries are done. This server 
| > is not advertised "anymore" in DNS, but spammers are still sending to 
| > it in defiance of my TTL from DNS configuration.
| > I know that most of my clients who use this server are located within
| > my country (damn Kenya!).
| > 
| > I now want to block all connections to this server which originate 
| > outside my country.
| > 
| > I have hit google hard and found two projects that were geared towards
| > introducing the complexities (yes) of using GeoIP within Exim.
| > 
| > http://botanicus.net/dw/exim-python/exim-4.60py1.html
| > http://pookey.co.uk/exim-geoip.xml
| > 
| > One seems recent enough, but both seem like they are un-maintained.
| > I am running Exim 4.62 on all my servers.
| > 
| > Is there anyone out there using another variant of GeoIP blocking with 
| > Exim that they'd be willing to share with the community (me ;))?
| 
| this strikes me as a really bad idea, but as with many
| really bad ideas, it's trivial to implement in perl. grab
| the Geo::IP perl module, and then put
| 
|     use Geo::IP;
| 
|     sub get_country_code_from_ip ($) {
|         my $ip = shift;
|         our $geoip;
|         $geoip ||= new Geo::IP(GEOIP_STANDARD);
|         return $geoip->country_code_by_addr($ip);
|     }
| 
| in your startup perl module, then use,
| 
|     ${perl{get_country_code_from_ip}{$host_address}}
| 
| to obtain the country code in a string expansion.


Hello List,

Following up on the above suggestion, there is this other option that
seems closer to what I want

Somewhere in acl_smtp_rcpt, I have this rule:

warn message           = X-GeoIP-Location: $dnslist_text
     !sender_domains   = +local_domains : +special_domains : +domainplus2_domains
     !hosts            = +relay_from_hosts
     dnslists          = country-rirdata.dnsiplists.completewhois.com
     log_message       = GeoIP: $sender_host_address is from $dnslist_text.i


.. it produces the output snippet included below.

From the snippet output, you will see just what goes into the mainlog
from the "log_message" option. There are a few countries in the snippet,
but what I'd like assistance with is a regexp that will match either
the output regarding Kenya alone, or will match everything else that
is NOT from Kenya...

Not a long shot for an old hand like you, no?

I can then use such a rule:

deny message = please deliver mail by respecting MX data
     !hosts  = +relay_from_hosts
     !sender_domains = blah : blah
     dnslists = country-rirdata.dnsiplists.completewhois.com
     condition = REGEXP HERE


regexp should be something along (!match "is from KE - Kenya")

I'd like to know the dangers of this approach. Let's look at it from
Chris' perspective: "this strikes me as a really bad idea, but as with
many it's trivial to implement in perl", only this time, pcre, and
NOT perl, is involved ;)

Thanks for all your time.

Here is the snippet:

<snip>

2006-06-24 13:21:21 H=choiros.elon.edu [152.33.34.20] I=[62.8.64.4]:25 Warning: GeoIP: 152.33.34.20 is from US - United States.
2006-06-24 13:21:34 H=libby.asmallorange.com [207.210.105.40] I=[62.8.64.4]:25 Warning: GeoIP: 207.210.105.40 is from US - United States.
2006-06-24 13:21:40 H=web31210.mail.mud.yahoo.com [68.142.200.227] I=[62.8.64.4]:25 Warning: GeoIP: 68.142.200.227 is from US - United States.
2006-06-24 13:21:44 H=smtp17.wxs.nl [195.121.247.8] I=[62.8.64.4]:25 Warning: GeoIP: 195.121.247.8 is from NL - Netherlands.
2006-06-24 13:21:44 H=mail2.californiapsychicsemail.com (mail4) [63.236.1.34] I=[62.8.64.4]:25 Warning: GeoIP: 63.236.1.34 is from US - United S
tates.
2006-06-24 13:21:48 H=smtp2.adhost.com [216.211.128.4] I=[62.8.64.4]:25 Warning: GeoIP: 216.211.128.4 is from US - United States.
2006-06-24 13:21:50 H=ca.51.5746.static.theplanet.com (C20525_32582) [70.87.81.202] I=[62.8.64.4]:25 Warning: GeoIP: 70.87.81.202 is from US - U
nited States.
2006-06-24 13:21:51 H=smtp.nrb.simbanet.co.ke [80.247.158.70] I=[62.8.64.4]:25 Warning: GeoIP: 80.247.158.70 is from NL - Netherlands.
2006-06-24 13:21:53 H=mx1.africaonline.co.ke (mlinzi.africaonline.co.ke) [195.202.85.139] I=[62.8.64.4]:25 Warning: GeoIP: 195.202.85.139 is from
KE - Kenya.
2006-06-24 13:21:53 H=alias.mail.uk.easynet.net [212.135.1.64] I=[62.8.64.4]:25 Warning: GeoIP: 212.135.1.64 is from UK - United Kingdom.
2006-06-24 13:22:21 H=lon-gs1dmrelay.mistral.net [217.154.131.9] I=[62.8.64.4]:25 Warning: GeoIP: 217.154.131.9 is from UK - United Kingdom.
2006-06-24 13:22:22 H=web33613.mail.mud.yahoo.com [68.142.199.245] I=[62.8.64.4]:25 Warning: GeoIP: 68.142.199.245 is from US - United States.
2006-06-24 13:22:26 H=mx3.extmarketing.com [209.51.174.146] I=[62.8.64.4]:25 Warning: GeoIP: 209.51.174.146 is from US - United States.
2006-06-24 13:22:30 H=mxout1.netvision.net.il [194.90.9.20] I=[62.8.64.4]:25 Warning: GeoIP: 194.90.9.20 is from IL - Israel.
2006-06-24 13:22:33 H=sv8pub.verizon.net [206.46.252.144] I=[62.8.64.4]:25 Warning: GeoIP: 206.46.252.144 is from US - United States.
2006-06-24 13:22:35 H=sv8pub.verizon.net [206.46.252.144] I=[62.8.64.4]:25 Warning: GeoIP: 206.46.252.144 is from US - United States.
2006-06-24 13:22:42 H=maxc.iconnect.co.ke (max.iconnect.co.ke) [212.22.164.9] I=[62.8.64.4]:25 Warning: GeoIP: 212.22.164.9 is from KE - Kenya.
2006-06-24 13:22:49 H=relay01.uchicago.edu [128.135.12.136] I=[62.8.64.4]:25 Warning: GeoIP: 128.135.12.136 is from US - United States.
2006-06-24 13:22:50 H=hermes.apache.org (mail.apache.org) [209.237.227.199] I=[62.8.64.4]:25 Warning: GeoIP: 209.237.227.199 is from US - United
States.
2006-06-24 13:22:50 H=web52506.mail.yahoo.com [206.190.48.189] I=[62.8.64.4]:25 Warning: GeoIP: 206.190.48.189 is from US - United States.
2006-06-24 13:22:56 H=wr-out-0506.google.com [64.233.184.239] I=[62.8.64.4]:25 Warning: GeoIP: 64.233.184.239 is from US - United States.
2006-06-24 13:23:01 H=mail2.utlonline.co.ug [81.199.21.120] I=[62.8.64.4]:25 Warning: GeoIP: 81.199.21.120 is from IL - Israel.
2006-06-24 13:23:02 H=smtp.imul.com [217.113.72.30] I=[62.8.64.4]:25 Warning: GeoIP: 217.113.72.30 is from BE - Belgium.
2006-06-24 13:23:02 H=(163.gd) [58.60.174.38] I=[62.8.64.4]:25 Warning: GeoIP: 58.60.174.38 is from CN - China.
2006-06-24 13:23:05 H=web31214.mail.mud.yahoo.com [68.142.201.80] I=[62.8.64.4]:25 Warning: GeoIP: 68.142.201.80 is from US - United States.
2006-06-24 13:23:08 H=(pwani3.ikenya.com) [196.41.47.3] I=[62.8.64.4]:25 Warning: GeoIP: 196.41.47.3 is from TZ - Tanzania.
2006-06-24 13:23:09 H=bay104-f12.bay104.hotmail.com (hotmail.com) [65.54.175.22] I=[62.8.64.4]:25 Warning: GeoIP: 65.54.175.22 is from US - Unit
ed States.
2006-06-24 13:23:10 H=egateway.cardscan.net (torpedoray.cardscan.net) [66.37.214.142] I=[62.8.64.4]:25 Warning: GeoIP: 66.37.214.142 is from US -
United States.
2006-06-24 13:23:10 H=(marketing.net) [80.240.193.201] I=[62.8.64.4]:25 Warning: GeoIP: 80.240.193.201 is from KE - Kenya.
2006-06-24 13:23:12 H=vsmtp2.tin.it [212.216.176.222] I=[62.8.64.4]:25 Warning: GeoIP: 212.216.176.222 is from IT - Italy.
2006-06-24 13:23:13 H=mx1.ethionet.et [213.55.64.53] I=[62.8.64.4]:25 Warning: GeoIP: 213.55.64.53 is from ET - Ethiopia.
2006-06-24 13:23:13 H=web42110.mail.mud.yahoo.com [209.191.86.243] I=[62.8.64.4]:25 Warning: GeoIP: 209.191.86.243 is from US - United States.
2006-06-24 13:23:13 H=web42110.mail.mud.yahoo.com [209.191.86.243] I=[62.8.64.4]:25 Warning: GeoIP: 209.191.86.243 is from US - United States.
2006-06-24 13:23:13 H=web42110.mail.mud.yahoo.com [209.191.86.243] I=[62.8.64.4]:25 Warning: GeoIP: 209.191.86.243 is from US - United States.
2006-06-24 13:23:20 H=(rediffmail.com) [220.224.23.249] I=[62.8.64.4]:25 Warning: GeoIP: 220.224.23.249 is from IN - India.
2006-06-24 13:23:22 H=web34108.mail.mud.yahoo.com [66.163.178.106] I=[62.8.64.4]:25 Warning: GeoIP: 66.163.178.106 is from US - United States.
2006-06-24 13:23:23 H=(tritonke.com) [196.45.37.147] I=[62.8.64.4]:25 Warning: GeoIP: 196.45.37.147 is from TZ - Tanzania.
2006-06-24 13:23:31 H=(mail.kmarch.com) [217.21.118.10] I=[62.8.64.4]:25 Warning: GeoIP: 217.21.118.10 is from KE - Kenya.
2006-06-24 13:23:31 H=149.flowermed.com (flowermed.com) [65.175.44.149] I=[62.8.64.4]:25 Warning: GeoIP: 65.175.44.149 is from US - United State
s.
2006-06-24 13:23:46 H=bay20-f6.bay20.hotmail.com (hotmail.com) [64.4.54.95] I=[62.8.64.4]:25 Warning: GeoIP: 64.4.54.95 is from US - United Stat
es.
2006-06-24 13:23:46 H=web60418.mail.yahoo.com [209.73.178.146] I=[62.8.64.4]:25 Warning: GeoIP: 209.73.178.146 is from US - United States.
2006-06-24 13:23:47 H=relay1.mail.ox.ac.uk [129.67.1.165] I=[62.8.64.4]:25 Warning: GeoIP: 129.67.1.165 is from EU - European Union (can apply t
o any country in Europe).
2006-06-24 13:23:48 H=b2.e7.1343.static.theplanet.com (ieo.ieomail.com) [67.19.231.178] I=[62.8.64.4]:25 Warning: GeoIP: 67.19.231.178 is from US
- United States.
2006-06-24 13:23:49 H=content120a.lga2.nytimes.com [199.239.138.66] I=[62.8.64.4]:25 Warning: GeoIP: 199.239.138.66 is from US - United States.
2006-06-24 13:23:50 H=vsmtp21.tin.it [212.216.176.109] I=[62.8.64.4]:25 Warning: GeoIP: 212.216.176.109 is from IT - Italy.
2006-06-24 13:23:51 H=(gmail.com) [220.224.23.249] I=[62.8.64.4]:25 Warning: GeoIP: 220.224.23.249 is from IN - India.
2006-06-24 13:23:54 H=lmfilto01.st1.spray.net [212.78.202.65] I=[62.8.64.4]:25 Warning: GeoIP: 212.78.202.65 is from SE - Sweden.
2006-06-24 13:23:54 H=www33a.your-server.co.za [196.7.147.33] I=[62.8.64.4]:25 Warning: GeoIP: 196.7.147.33 is from ZA - South Africa.
2006-06-24 13:23:57 H=(3w.gmail.cn) [210.73.88.250] I=[62.8.64.4]:25 Warning: GeoIP: 210.73.88.250 is from CN - China.
</snip>


        cheers
       - wash 
+----------------------------------+-----------------------------------------+
Odhiambo Washington                    . WANANCHI ONLINE LTD (Nairobi, KE)  |
wash () WANANCHI ! com            . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223            . # 10286, 00100 NAIROBI             |
GSM: (+254) 733 744 121            . (+254) 020 313 985 - 9             |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"  
                         --from a /. post