announcement about invaluement (or more like a tease?)
announcement about invaluement (or more like a tease?) https://www.linkedin.com/feed/update/urn:li:activity:6571558988201148416/ -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: How to block mails from unknown ip addresses?
Am 2019-08-25 20:54, schrieb Matus UHLAR - fantomas: I don't think you should download geoip postgres modules when what you really need is apparently more recent database. Debian SA package suggests installing libgeo-ip-perl which further recommends geoip-database. buster contains version 20181108-1, while buster-backports contains version 20190724-1~bpo10+1 Your problem could apparently be solves installing backported geoip-database version. I tried this already (described in e-Mail at 4:53 pm), but the ip address 45.141.151.5 wasn't in the backport geoip-database. Maybe I have tomatoes on my eyes. I can't find the right debian package with the DB_File-Module. Do you or someone else know which package does contain the module? I don't use the cpan shell for installing modules. it's very good that you don't use these. They can make mess on debian system. Onlly install debian packages unless you really need and can take care of manually installed packages. Yes, as you can see I got a warnung and I installed the liblocale-codes-perl package. # ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5 Locale::Country will be removed from the Perl core distribution in the next major release. Please install the separate liblocale-codes-perl package. It is being used at ./pgeoiplookup.pl, line 35. Locale::Codes will be removed from the Perl core distribution in the next major release. Please install the separate liblocale-codes-perl package. It is being used at /usr/share/perl/5.28/Locale/Country.pm, line 22. GeoIP version 1566699945: TR, Turkey
Re: How to block mails from unknown ip addresses?
Am 2019-08-25 17:34, schrieb Giovanni Bechis: Hello, I can't find pgeoiplookup in the repository. I'm using Debian Buster (10.0), but the geoip database in this release is from 2018-11-08. So I actived backports to get a newer version from testing (https://tracker.debian.org/pkg/geoip-database). sorry, it's a tool I wrote to check ip addresses using ipcc.db databases. https://github.com/bigio/pgeoiplookup Now I used the cpan shell. I thought it was a relict from the past. :) install IP::Country install IP::Country::DB_File cpan[2]> exit Terminal does not support GetHistory. Lockfile removed. # ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5 Locale::Country will be removed from the Perl core distribution in the next major release. Please install the separate liblocale-codes-perl package. It is being used at ./pgeoiplookup.pl, line 35. Locale::Codes will be removed from the Perl core distribution in the next major release. Please install the separate liblocale-codes-perl package. It is being used at /usr/share/perl/5.28/Locale/Country.pm, line 22. GeoIP version 1566699945: TR, Turkey # aptitude install liblocale-codes-perl The following NEW packages will be installed: liblocale-codes-perl 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 250 kB of archives. After unpacking 2,406 kB will be used. Get: 1 http://asi-fs-n.contabo.net/debian buster/main amd64 liblocale-codes-perl all 3.60-1 [250 kB] Fetched 250 kB in 0s (3,663 kB/s) Selecting previously unselected package liblocale-codes-perl. (Reading database ... 45022 files and directories currently installed.) Preparing to unpack .../liblocale-codes-perl_3.60-1_all.deb ... Unpacking liblocale-codes-perl (3.60-1) ... Setting up liblocale-codes-perl (3.60-1) ... Processing triggers for man-db (2.8.5-2) ... # ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5 GeoIP version 1566699945: TR, Turkey
Re: How to block mails from unknown ip addresses?
Am 2019-08-25 17:34, schrieb Giovanni Bechis: sorry, it's a tool I wrote to check ip addresses using ipcc.db databases. https://github.com/bigio/pgeoiplookup On 25.08.19 20:26, tba...@txbweb.de wrote: https://cwiki.apache.org/confluence/display/spamassassin/RelayCountryPlugin I've downloaded a db_file to an optional directory and set the variable "country_db_path" in /etc/spamassassin/local.cf (country_db_path /opt/ipcc/ipcc.db). spamassassin --lint displays no errors. If that works I can configure a cronjob for downloading the db file once a week. But I've a problem with your scipt. ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5 Can't locate IP/Country/DB_File.pm in @INC (you may need to install the IP::Country::DB_File module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at ./pgeoiplookup.pl line 34. I don't think you should download geoip postgres modules when what you really need is apparently more recent database. Debian SA package suggests installing libgeo-ip-perl which further recommends geoip-database. buster contains version 20181108-1, while buster-backports contains version 20190724-1~bpo10+1 Your problem could apparently be solves installing backported geoip-database version. Maybe I have tomatoes on my eyes. I can't find the right debian package with the DB_File-Module. Do you or someone else know which package does contain the module? I don't use the cpan shell for installing modules. it's very good that you don't use these. They can make mess on debian system. Onlly install debian packages unless you really need and can take care of manually installed packages. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: How to block mails from unknown ip addresses?
Am 2019-08-25 17:34, schrieb Giovanni Bechis: sorry, it's a tool I wrote to check ip addresses using ipcc.db databases. https://github.com/bigio/pgeoiplookup https://cwiki.apache.org/confluence/display/spamassassin/RelayCountryPlugin I've downloaded a db_file to an optional directory and set the variable "country_db_path" in /etc/spamassassin/local.cf (country_db_path /opt/ipcc/ipcc.db). spamassassin --lint displays no errors. If that works I can configure a cronjob for downloading the db file once a week. But I've a problem with your scipt. ./pgeoiplookup.pl -f /opt/ipcc/ipcc.db 45.141.151.5 Can't locate IP/Country/DB_File.pm in @INC (you may need to install the IP::Country::DB_File module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at ./pgeoiplookup.pl line 34. Maybe I have tomatoes on my eyes. I can't find the right debian package with the DB_File-Module. Do you or someone else know which package does contain the module? I don't use the cpan shell for installing modules.
Re: How to block mails from unknown ip addresses?
Am 2019-08-25 00:12, schrieb Benny Pedersen: header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country codes)/ describeRELAYCOUNTRY_BAD Relayed through spam country at some point score RELAYCOUNTRY_BAD 3.5 correct rulee, but geoip is not working in your install Hello, geoip is working if geoiplookup has a valid country. Here an result when the ip adresse can be found (RELAYCOUNTRY_BAD=3.5 in the test list). --- X-Spam-Status: Yes, score=15.393 tag=2 tag2=6.31 kill=6.31 tests=[AM.WBL=7, BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5, FSL_BULK_SIG=1.596, HTML_EMBEDS=0.001, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392, RDNS_NONE=0.793, RELAYCOUNTRY_BAD=3.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_RED=0.001] autolearn=no autolearn_force=no --- The turkey spammer uses a DKIM-Signatures for earch dirty domain and changes the ip adresses. --- Received: from habitmarsh.pro (unknown [185.81.154.251]) by mx2.level5.de (Postfix) with ESMTP for ; Sat, 24 Aug 2019 14:46:28 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; d=habitmarsh.pro; h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; i=restl...@habitmarsh.pro; bh=2t5Wf+4FfcbFXk3qlpUtl7hNcLY=; b=BYPTXPtYMghNg+QpgG9WEYjd2FPjtRVS7rAfCCPt4hO6v7Fzo2ZK5YWiOBWtXPXKWFb9X6u7OQ8G Db9pXFfiYN+p76hpn/dPWLCH8G3kuJakwjthtuBG85wzytnelGph79TzqTXZGylltHv3JQOoPJca NHrcpHXgh+sVKHit2yw= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; d=habitmarsh.pro; b=dYV5l2FhyapgbC8/s1SXbQacaxUiqlIWFCNDtBvzfV2E9+7wS61Ppqxufk1tZyYgVRLnj+1wrzZC NKFQfvNL7TVSgk8u14S8ptc4q0tfE+uQ886w9ZuxOHQ+7jOasm+AW84BJm6fI3n7jEPL1xZC2bqx wJOICRNUrJ+k9XVHhag=; From: " Timothy Long" Date: Sat, 24 Aug 2019 07:42:21 -0500 MIME-Version: 1.0 Subject: Boost your internet with this without upgrading your plan ---
Re: How to block mails from unknown ip addresses?
On Sun, Aug 25, 2019 at 04:53:36PM +0200, tba...@txbweb.de wrote: > Am 2019-08-25 10:18, schrieb Giovanni Bechis: > > geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type > > DB_File and it would > > have matched that ip. > > > > - > > $ pgeoiplookup 45.141.151.5 > > GeoIP version 1566720869: TR, Turkey > > - > > Hello, I can't find pgeoiplookup in the repository. I'm using Debian > Buster (10.0), but the geoip database in this release is from > 2018-11-08. So I actived backports to get a newer version from testing > (https://tracker.debian.org/pkg/geoip-database). > sorry, it's a tool I wrote to check ip addresses using ipcc.db databases. https://github.com/bigio/pgeoiplookup > # aptitude -t buster-backports install geoip-database > > Get: 1 http://deb.debian.org/debian buster-backports/main amd64 > geoip-database all 20190724-1~bpo10+1 > GeoIP databases are no more updated by Maxmind, you should use a different country_db_type in RelayCouuntry plugin (db_file or geoip2) to detect new ip addresses. Giovanni
Re: How to block mails from unknown ip addresses?
Am 2019-08-25 10:18, schrieb Giovanni Bechis: geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type DB_File and it would have matched that ip. - $ pgeoiplookup 45.141.151.5 GeoIP version 1566720869: TR, Turkey - Hello, I can't find pgeoiplookup in the repository. I'm using Debian Buster (10.0), but the geoip database in this release is from 2018-11-08. So I actived backports to get a newer version from testing (https://tracker.debian.org/pkg/geoip-database). # aptitude -t buster-backports install geoip-database Get: 1 http://deb.debian.org/debian buster-backports/main amd64 geoip-database all 20190724-1~bpo10+1 ls -al /usr/share/GeoIP/ total 36060 drwxr-xr-x 2 root root 4096 Aug 25 16:35 . drwxr-xr-x 131 root root 4096 Aug 10 12:37 .. -rw-r--r-- 1 root root 4969864 Nov 8 2018 GeoIPASNum.dat -rw-r--r-- 1 root root 22104026 Nov 8 2018 GeoIPCity.dat -rw-r--r-- 1 root root 2022333 Jul 31 15:47 GeoIP.dat -rw-r--r-- 1 root root 7811745 Jul 31 15:47 GeoIPv6.dat The database is from 2019-07-24, but ip adress is still unknown :-/ root@mx2:~# geoiplookup 45.141.151.5 GeoIP Country Edition: IP Address not found Seems that these intelligent spammers tend to use realy new ip-adresses :) Is there no solution for the relaycountry plugin to get a score if an ip adress can't be found? I don't need the newest databases because the ip adresses of good senders longer exist. Thomas Barth
Re: How to block mails from unknown ip addresses?
On Sat, Aug 24, 2019 at 08:27:03PM +0200, tba...@txbweb.de wrote:
> Hello,
>
> I would like to block mails from ip addresses that cant be found. There
> is a tricky spam serie getting a low score. Currently I can block the
> mails just be scoring the tdl.
>
> I use the RelayCountry Plugin, but it dosnt work if the ip address is
> not available.
>
> header RELAYCOUNTRY_BAD X-Relay-Countries =~ /(List of country
> codes)/
> describeRELAYCOUNTRY_BAD Relayed through spam country at some
> point
> score RELAYCOUNTRY_BAD 3.5
>
>
> Here some infos of an header examples
>
> X-Spam-Status: Yes, score=11.891 tag=2 tag2=6.31 kill=6.31
> tests=[AM.WBL=7,
> BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1,
> DKIM_VALID_EF=-0.1, FROMSPACE=0.001, FROM_SUSPICIOUS_NTLD=0.5,
> FSL_BULK_SIG=1.596, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392,
> RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
> T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
>
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail;
> d=strapdebut.pro;
> h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type;
> i=nonse...@strapdebut.pro;
> bh=p2qRX9+f0yHDj3jqqnVU4hoNG58=;
>
> b=MmuxhWP6r2xfmasBMUUXqDc0ai2/zlR9ZgmBZPvsbo3fgl6m4dBkmpVvVqZo2DMgiee7I6Msp07c
>
> 3xIc7SbGGs9QOFGZYkaQpYpY56zW8AqjIWQvbC6D6jVq43P/7yF6nwrI7GrHTKgeL6/SAtzCUpf2
> HOR8Zr3N45GuMa5iHdc=
> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail;
> d=strapdebut.pro;
>
> b=UH6pdk+pAUj1o9TF7Z0RySxRb7AFJUL4yori8RZ99Wd4nxABrPXndv88xSVu2rfBPTlQO/8KbdP4
>
> O2fJMJeSMRS+4Q7IFkjbMSkwYi+wGXZkcU10diEVt24i7bQf9l1zRNMQ9zV7GlAs4XeqAjEqGvV1
> SmcUvgGYccNp65I07nQ=;
> From: " Carol Yates"
> Date: Sat, 24 Aug 2019 12:48:11 -0500
> MIME-Version: 1.0
> Subject: ACs are going to be extinct after this discovery
>
>
>
> Aug 24 19:54:38 mx2 amavis[3405]: (03405-11) Blocked SPAM
> {RejectedOpenRelay,Quarantined}, [45.141.151.5]:2812 [45.141.151.5]
> -> , quarantine:
> N/spam-NHIkGYse9Osv.gz, Message-ID:
> ,
>
> mail_id: NHIkGYse9Osv, Hits: 11.891, size: 9352, 2697 ms
>
>
> # geoiplookup 45.141.151.5
> GeoIP Country Edition: IP Address not found
> GeoIP City Edition, Rev 1: IP Address not found
> GeoIP ASNum Edition: IP Address not found
>
geoip 1.x is no more updated, with 3.4.2+ you can use country_db_type DB_File
and it would
have matched that ip.
-
$ pgeoiplookup 45.141.151.5
GeoIP version 1566720869: TR, Turkey
-
Giovanni
signature.asc
Description: PGP signature
