{Spam?} RE: IP country block possible?

Matt Kettler mkettler at evi-inc.com
Fri Jan 5 19:37:41 CET 2007 

mailscanner at aha4adsl.nl wrote:
> Thank you for all your reactions. I studied them carefully.
> 
> Based on that I wanted to start blocking the first countries but I am
> running into problems. 
> 
> I changed my local.cf with the following lines.
> 
> 
> body 			LAMP	/\bLamp\b/i
> score            LAMP  1 2 3 4
> 
> header __RCVD_IN_NERDS      eval:check_rbl('nerds','zz.countries.nerd.dk.')
> describe __RCVD_IN_NERDS                Received from a spam country
> tflags __RCVD_IN_NERDS                  0.01
> tflags __RCVD_IN_NERDS                  net

<snip>

*STRONG* suggestion: Make use of SpamAssassin's RelayCountry plugin.

This will avoid wasting time doing network lookups and will use
IP::Country::Fast instead.

Once you have RelayCountries loaded you can use rules like this:
-------------------------------

#replaces old blackholes.us rules, works much better and faster too

#see http://psi.oasis-open.org/iso/3166/oasis-spec.html for codes
# informational, mostly for checking how much these hit
header RELAY_ES X-Relay-Countries=~/\bES\b/
describe RELAY_ES       Relayed through Spain
score RELAY_ES 0.01

header RELAY_UK X-Relay-Countries=~/\bGB\b/
describe RELAY_UK       Relayed through Brittan
score RELAY_UK 0.01

header RELAY_FR X-Relay-Countries=~/\bFR\b/
describe RELAY_FR       Relayed through France
score RELAY_FR 0.01

header RELAY_DE X-Relay-Countries=~/\bDE\b/
describe RELAY_DE       Relayed through Germany
score RELAY_DE 0.01

header RELAY_AT X-Relay-Countries=~/\bAT\b/
describe RELAY_AT       Relayed through Austria
score RELAY_AT 0.01

# these have VERY high spam volume and little legit mail
# however, don't go over 3.0 or so with these.

header RELAY_CN X-Relay-Countries=~/\bCN\b/
describe RELAY_CN       Relayed through china
score RELAY_CN 2.5

header RELAY_KR X-Relay-Countries=~/\bKR\b/
describe RELAY_KR       Relayed through Korea
score RELAY_KR 2.5

header RELAY_KP X-Relay-Countries=~/\bKP\b/
describe RELAY_KP       Relayed through North Korea
score RELAY_KP 2.5

#countries prone to abuse and low legit mail volume
# can't score high due to some legit mail
# however score bias of 0.1 to 1.5 is reasonable here
# depending on the country in question

header RELAY_AP X-Relay-Countries=~/\bAP\b/
describe RELAY_AP       Relayed through generic AP
score RELAY_AP  0.5

header RELAY_TW X-Relay-Countries=~/\bTW\b/
describe RELAY_TW       Relayed through Taiwan
score RELAY_TW 1.0

header RELAY_SK X-Relay-Countries=~/\bSK\b/
describe RELAY_SK       Relayed through Slovakia
score RELAY_TW 1.0

header RELAY_JP X-Relay-Countries=~/\bJP\b/
describe RELAY_JP       Relayed through Japan
score RELAY_JP 1.0

header RELAY_AR X-Relay-Countries=~/\bAR\b/
describe RELAY_AR       Relayed through Argentina
score RELAY_AR 1.0

header RELAY_BR X-Relay-Countries=~/\bBR\b/
describe RELAY_BR       Relayed through Brazil
score RELAY_BR 1.0

header RELAY_RU X-Relay-Countries=~/\bRU\b/
describe RELAY_RU       Relayed through Russia
score RELAY_RU 1.0

header RELAY_RO X-Relay-Countries=~/\bRO\b/
describe RELAY_RO       Relayed through Romania
score RELAY_RO 1.0

header RELAY_PS X-Relay-Countries=~/\bPS\b/
describe RELAY_PS       Relayed through occupied Palestine
score RELAY_PS 1.0

header RELAY_PL X-Relay-Countries=~/\bPL\b/
describe RELAY_PL       Relayed through Poland
score RELAY_PL 1.0

header RELAY_IL X-Relay-Countries=~/\bIL\b/
describe RELAY_IL       Relayed through Israel
score RELAY_IL 1.0

header RELAY_HU X-Relay-Countries=~/\bHU\b/
describe RELAY_HU       Relayed through Hungary
score RELAY_HU 1.0

header RELAY_NG X-Relay-Countries=~/\bNG\b/
describe RELAY_NG       Relayed through Nigeria
score RELAY_NG 1.0

header RELAY_PK X-Relay-Countries=~/\bPK\b/
describe RELAY_PK       Relayed through Pakistan
score RELAY_PK 1.0

header RELAY_GT X-Relay-Countries=~/\bGT\b/
describe RELAY_GT       Relayed through Guatemala
score RELAY_GT 1.0

header RELAY_PE X-Relay-Countries=~/\bPE\b/
describe RELAY_PE       Relayed through Peru
score RELAY_PE 1.0

header RELAY_PA X-Relay-Countries=~/\bPA\b/
describe RELAY_PA       Relayed through Panama
score RELAY_PA 1.0

header RELAY_ID X-Relay-Countries=~/\bID\b/
describe RELAY_ID       Relayed through Indonesia
score RELAY_ID 1.0

header RELAY_EG X-Relay-Countries=~/\bEG\b/
describe RELAY_EG       Relayed through Egypt
score RELAY_EG 1.0

header RELAY_CZ X-Relay-Countries=~/\bCZ\b/
describe RELAY_CZ       Relayed through Czech Republic
score RELAY_CZ 0.5

header RELAY_CO X-Relay-Countries=~/\bCO\b/
describe RELAY_CO       Relayed through Columbia
score RELAY_CO 1.0

header RELAY_TK X-Relay-Countries=~/\bTK\b/
describe RELAY_TK       Relayed through Turkey
score RELAY_TK 0.5

More information about the MailScanner mailing list