Re: mark emails as being spam originating from an ip range owner

2020-09-29 Thread John Hardin 

On Tue, 29 Sep 2020, Kenneth Porter wrote:

--On Tuesday, September 29, 2020 10:48 AM + Andy Smith 
 wrote:



Or consider using ASN plugin:


With that hint, I found this interesting service:



One could use this to, for example, create firewall rules to block 
connections from hostile ASNs.


Hostile email sources should be TCP tarpitted. :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

Re: mark emails as being spam originating from an ip range owner

2020-09-29 Thread Kenneth Porter 
--On Tuesday, September 29, 2020 10:48 AM + Andy Smith 
 wrote:



Or consider using ASN plugin:


With that hint, I found this interesting service:



One could use this to, for example, create firewall rules to block 
connections from hostile ASNs.

Re: mark emails as being spam originating from an ip range owner

2020-09-29 Thread John Hardin 

On Tue, 29 Sep 2020, Marc Roos wrote:


How can I mark emails as being spam originating from an ip range owned
by xserver.ua?

% Abuse contact for '176.103.48.0 - 176.103.63.255' is
'ab...@xserver.ua'


Do you want to just tag and deliver or quarantine them? Or do you want to 
discard them?


If the latter, then the most efficient approach is to tell your MTA to 
reject SMTP sessions from that IP block with an appropriate message. Avoid 
the SA scanning overhead entirely.




--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun control isn’t about preventing violence, it’s about forcing
  those rubes in Flyover Country to knuckle under.  -- Glenn Reynolds
---
 Today: the 79th anniversary of the massacre at Babi Yar
 Disarmament enables genocide - Registration enables disarmament

RE: mark emails as being spam originating from an ip range owner

2020-09-29 Thread Marc Roos 
 

Thanks for the asn tip! There is even a dns service that offers the asn 
lookup. This is what I found, maybe there are more.

[@]$ dig +short -t txt 80.53.103.176.origin.asn.cymru.com
"48031 | 176.103.48.0/20 | UA | ripencc | 2011-12-09"





-Original Message-
To: users@spamassassin.apache.org
Subject: Re: mark emails as being spam originating from an ip range 
owner

Hello,

On Tue, Sep 29, 2020 at 10:49:36AM +0200
> How can I mark emails as being spam originating from an ip range owned 

> by xserver.ua?
> 
> % Abuse contact for '176.103.48.0 - 176.103.63.255' is

I' not sure if blacklist_from accepts IP addresses or CIDR ranges, but 
if it does:

blacklist_from 176.103.48.0/20

Or consider using ASN plugin:


https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_ASN.html

and then adding a rule that penalises everything from ASN 48031:

header  LOCAL_SPAMMY_ASN_XSERVERX-ASN =~ /\b48031\b/
score   LOCAL_SPAMMY_ASN_XSERVER5.0
describeLOCAL_SPAMMY_ASN_XSERVERToo much spam from xserver.ua 
(AS48031)

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: mark emails as being spam originating from an ip range owner

2020-09-29 Thread Andy Smith 
Hello,

On Tue, Sep 29, 2020 at 10:49:36AM +0200, Marc Roos wrote:
> How can I mark emails as being spam originating from an ip range owned 
> by xserver.ua?
> 
> % Abuse contact for '176.103.48.0 - 176.103.63.255' is 

I' not sure if blacklist_from accepts IP addresses or CIDR ranges,
but if it does:

blacklist_from 176.103.48.0/20

Or consider using ASN plugin:


https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_ASN.html

and then adding a rule that penalises everything from ASN 48031:

header  LOCAL_SPAMMY_ASN_XSERVERX-ASN =~ /\b48031\b/
score   LOCAL_SPAMMY_ASN_XSERVER5.0
describeLOCAL_SPAMMY_ASN_XSERVERToo much spam from xserver.ua (AS48031)

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting