On Mon, Oct 10, 2005 at 11:52:54AM -0500, Damrose, Mark wrote: > I've been getting a bunch of spam from zombied hosts in the 222.x.x.x range. > Much of it get blocked by spamhaus and other lists, but there's been enough > left that it's noticeable. Whois says that this netblock is assigned to > "Air Force Logistics Command". The senders of the spam vary, but none of > them are domains that have spf.
The 222/8 "netblock" is assigned to APNIC, the Asian Pacific region, where it is distributed further to individual ISPs or customers. You can verify this from: http://www.iana.org/assignments/ipv4-address-space whois.apnic.net contains further information on the distributing, eg, 222.0.0.0 - 222.15.255.255 is allocated to a "KDDI Corporation" in Tokia, Japan. The next block, 222.16.0.0/21 is allocated to a university in china. I couldn't find any af.mil networks, offhand. So if you block this entire network, you're blocking a pretty large amount of addresses in the asian pacific region... but likely only the most recently allocated ones. If you want to be complete, go over the ipv4-address-space I mentioned above and lookup all netblocks belonging to APNIC. However, it does seem excessive to me... simply blocking about a third of the world (remember australia is also in that area). You might be better off using a country-specific blocking list such as cn.rbl.cluecentral.net, kr.rbl.cluecentral.net etc, and leaving your "postmaster" and/or "abuse" address explicitly open in case someone does need to contact you from those areas. > Does anybody see any downside to doing something like: > sub filter_sender($$$$) { > my ($sender, $ip, $hostname, $helo) = @_; > > if ( ($ip =~ /^222\./) && ($sender !~ /af\.mil\>?/i) ) { > return ('REJECT', 'Not USAF address'); > } > > return ('CONTINUE', 'OK'); > > } You mean apart from the fact that it's very easy to spoof, too generic of a blocking method, that the af.mil exception likely has nothing to do with the 222/8 netblock, and that the exception isn't strict enough (it would match mail from <[EMAIL PROTECTED]>)? -- #!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]> $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet _______________________________________________ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
