Hi, Dňa Sun, 18 Jul 2021 13:56:18 -0400 Bill Cole via mailop <mailop@mailop.org> napísal:
> > The only usable way seems to be GoiIP blocking countries, but i > > afraid that it is wrong way. > > Why? Hard to describe it in English for me, but i will try. I consider blocking access by country as discriminating all honest people in particular country. One can be surprised, but my long term country stat shows, that worst countries are USA and Germany, and no, China is even not in top 10. Yes, my stats are screwed by blocking from blocklist.de, which seems to catch about 50 % of abusive access and those never reach the server, thus are missing in that stats, but anyway... And yes, i have in my stats my own country too, while far away from top. Second, blocking by country breaks the main Internet purpose -- connect together the whole world. Finally, blocking by country seems as simplest solution. But many of (if not all) simplest solutions are not good solutions too. They are simple only simplest. Do one remember one of simplest solution in past -- cut off burglar's hands? It solved nothing... > If you have no users who need to authenticate from a particular > network, there's no need to allow access from that network. If > knowing where a network is based helps you make an accurate > estimation of whether access from that network is needed, what's > wrong with that? It is 2021 year here, people are not slaves nor vassals, they are free to travel, they use VPSs, VPNs, proxies, etc for good purpose, not only to hide their abusive behaviour. I do not want to limit nor to spy them, especially when they are family or friends. They must be free to use services from anywhere and does not matter, if they need this or not. > On one small mail server I manage, I have 346 IPv4 networks blocked > from all ports that expose any password-based authentication, with > some of those being /6 networks. I do not afraid to block whole network blocks (even countries), but it must have good reason AND must be short term solution. Once again, in most of network blocks are honest people, even clouds (VPS) are using honest people too. Consider, why are RBLs, which block whole network blocks (and people which use them), as often criticised not only in this list history. Why people complains (again not only in this list) about mail providers, which rejects mails only due bad neighbours, etc, etc... Yes, one can tell that even behind one IP can be honest people too, and will be right. In ideal world we will able to distinguish them, unfortunately we are living in real world, not in ideal. In ideal world they all will have unique IP (no IPv6 will not solve it), until this we have to live with this limitation, but we must do not do things even worse... That is why we have SPAM checks software, brute forcing guards and similar solutions. Their purpose is distinguish honest access from abusive on per case base, not by its origination. One again one no, simplest solutions are only rarely good solutions at once. (I hope, that i wrote this properly in English...) regards -- Slavko http://slavino.sk
pgp__X6twfbuz.pgp
Description: Digitálny podpis OpenPGP
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop