Re: [Mimedefang] Issues w/ GeoIP2

[giovanni--- via MIMEDefang]

On 3/11/25 4:57 PM, Philip Prindeville wrote:

On Mar 10, 2025, at 2:01 AM, giovanni--- via MIMEDefang 
<mimedefang@lists.mimedefang.org> wrote:

On 3/10/25 7:05 AM, Philip Prindeville via MIMEDefang wrote:

Hi,
I’ve started seeing the following recently:
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: No 
record found for IP address 167.94.138.174
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: Trace 
begun at /
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
usr/share/perl5/vendor_perl/GeoIP2/Database/Reader.pm line 88
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: G
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
eoIP2::Database::Reader::_model_for_address('GeoIP2::Database::
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
Reader=HASH(0x557f24549ab8)', 'ASN', 'type_check', 'Regexp=REGE
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
XP(0x557f2b13eba8)', 'is_flat', 1, 'ip', 167.94.138.174) called
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr:  at 
/usr/share/perl5/vendor_perl/GeoIP2/Database/Reader.pm line
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr:  113
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
GeoIP2::Database::Reader::asn('GeoIP2::Database::Reader=HA
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
SH(0x557f24549ab8)', 'ip', 167.94.138.174) called at /etc/mail/
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
mimedefang-filter line 3068
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
main::filter_helo(167.94.138.174, '
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
[167.94.138.174]', 'www.censys.io', 46632, 192.168.8.3, 25, '52
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
A5RhOI1495862') called at /usr/bin/mimedefang.pl line 686
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: main:
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
:handle_helook(167.94.138.174, '[167.94.138.174]', 'www.censys.
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: io', 
46632, 192.168.8.3, 25, '52A5RhOI1495862') called at /usr/
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
bin/mimedefang.pl line 505
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
main::do_main_loop at /usr/bin/mimed
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: efang.pl 
line 474
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 
main::main at /usr/bin/mimedefang.pl line 152
Mar  9 23:27:53 mail mimedefang-multiplexor[1495492]: Worker 0 stderr: 1
apologies for the crappy line-wrapping.
I’m not sure why it’s not able to find a record for that.  The CIDR 
167.94.138.174/24 is known to be ASN 398324.

could you post an extract of /etc/mail/mimedefang-filter around line 3068 ?
GeoIP2 code is part of your mimedefang-filter code.
Which MIMEDefang version are you running ?
Thanks
  Giovanni

I’m running Fedora 41 (LTS), so. 3.6.1 is what ships with that.

My code looks like:

…

[...]

sub filter_helo($$$$$$$) {
     __enter();

     my ($hostip, $hostname, $helo, $hostport, $serverip, $serverport, $qid) = 
@_;

     if ($serverport == 25) {
…

         if (defined $reader2 && $hostip ne '127.0.0.1') {
             my $asn = $reader2->asn(ip => $hostip);

$reader2->asn() output to STDOUT if it cannot find the ip address,
you should write you code this way instead:

            my $asn;
            eval {
              $asn = $reader2->asn(ip => $hostip);
            };
            if($@) {
              md_syslog("Warning", "Could not find ASN for ip $hostip");
            }

             if (defined $asn) {
                my $num = $asn->autonomous_system_number();
                 my $org = $asn->autonomous_system_organization();
                md_syslog('debug', "helo: AS $num is '$org'”);
                if (exists $bad_isp{$org}) {
                    md_syslog('debug', "helo: This ISP has been blacklisted”);
                    __leave();
                    return ('REJECT', "This ISP has been blacklisted”);
                }
            }
        }


As for GeoIP2:

[root@mail mail]# mmdblookup -f /usr/share/GeoIP/GeoLite2-ASN.mmdb -i 
167.94.138.174

   {
     "autonomous_system_number":        398324 <uint32>
     "autonomous_system_organization":        "CENSYS-ARIN-01" <utf8_string>
   }

[root@mail mail]#
[root@mail mail]# ls -ltr /usr/share/GeoIP/
total 76656
-rw-r--r--. 1 root root  9846544 Mar 11 09:44 GeoLite2-ASN.mmdb
-rw-r--r--. 1 root root  8828854 Mar 11 09:44 GeoLite2-Country.mmdb
-rw-r--r--. 1 root root 59816818 Mar 11 09:44 GeoLite2-City.mmdb
[root@mail mail]#

Has anyone else seen this?
Thanks,
-Philip
_

OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

MIMEDefang mailing list MIMEDefang@lists.mimedefang.org
https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org