On Mon, October 30, 2006 8:27 am, Bill Church wrote:
Mark Weaver wrote:
Bill Church wrote:
If you have the luxury of blocking IPs based on countries or regions, that helps as well but not everyone can do this.
-Bill
... And personally I don't consider blocking on countries or regions is a luxury, but rather a necessity. Anyone can do it and should of they're running a mail server that is accepting direct SMTP connections.
I mean a luxury as in if you are so fortunate to only receive mail from a few regions or so. We have a fairly large customer who is an electronics manufacturer, their suppliers and customers are all over the globe, unfortunately we can't use this strategy for them.
We have a few financial customers, however, where their customers are only in the US. They block access to all of their resources geographically, this seems to work very well for them for spam and attacks.
Very nice work Mark. How do your logs look with all of those log statements?
-Bill
Thanks!
the logs reflect the chatty nature of the rules, but all in all definitely not unmanageable.
as far as being able to receive messages from part of the globe of an already blocked area, if I remember correctly I've been known to fine tune this a bit to allow certain IP's in while blocking the rest of the netblock from an offending area. Australia springs to mind since when I first started compiling data for this most of the SPAM was originating from the Asia Pacific network. Since then, in the last 6 months traffic has shifted from there to the Ripe Network.
Unless I'm mistaken, if one sets a rule to block an IP range 216.0.0.0-215.255.255.255 we're effectively blocking a very large netblock. However, if there's a smaller segment within that netblock that you want to allow placing another rule directly after that should allow that secondary traffic in. Puts me in mind of setting the INPUT chain's default policy to DROP and then placing a rule to allow certain connections from certain sources to be Accepted.