[BlueOnyx:26701] AV-SPAM v7.2.9-1 released

Michael Stauber mstauber at blueonyx.it
Mon Jan 8 14:11:58 -05 2024 

Hi all,

I just released the AV-SPAM v7.2.9-1 for BlueOnyx 5209R, 5210R and 5211R.

Aside from some bugfixes related to possible inability to 
create/modify/delete users (if GeoIP is disabled), this also contains a 
major update of Milter-GeoIP itself.


Milter-GeoIP:
==============

This milter can monitor email traffic volume and can alert if users or 
vsites are sending more emails than allowed.

Besides that principal function it can also block SMTP connections if 
the sender is from a blacklisted country or blacklisted IP or IP address 
range.

For that purpose it used the free MaxMind GeoIP database, which by now 
is pretty ancient, anecdotal and outdated.

So I just witched this to use the IP Address ranges from the free 
ipdeny.com database as we have also already done for the GeoIP 
functionality in the Firewalld Package.

GeoIP itself (and the free MaxMind GeoIP database) are still used, but 
only as a fallback.


Additionally:
==============

The following ISP has now made it onto our permanent shit-list until 
hell freezes over:

UAB Host Baltic
Kaunas, Lithuania

Google Maps and Reviews:

https://www.google.com/maps/place/UAB+Host+Baltic/@54.9058159,24.0043022,17z/data=!3m1!4b1!4m6!3m5!1s0x46e7183df64f09f7:0x9c60ea60ba4640ca!8m2!3d54.9058159!4d24.0068771!16s%2Fg%2F11g9l6xqgz?entry=ttu

Their IP address ranges:

https://ipinfo.io/AS209605

For the last 3-4 months these fuckers have been HAMMERING servers under 
our management in various geographical locations. During troubleshooting 
we've also seen them attack severs of our clients in various locations, 
so this isn't just isolated or specifically aimed against us.

The attacks have been relentless, without interruption, from various 
different IP address ranges under their management against a wide array 
of different servers.

They're doing absolutely ZERO against it and it even seems to be their 
prime business model to host shady individuals and organizations to run 
attacks against anyone they please. Their support email seems to be a 
blackhole, the ticket system for reporting issues either doesn't exist 
or is for clients only and phones redirect to voicemail, even during 
their alleged business hours.

Therefore Milter-GeoIP will now (if enabled and if "Block Blacklist 
entirely" is enabled) automatically block ANY SMTP request from any IP 
address associated with that particular ISP:

-------------------------------------------------------------------------
postfix/smtpd[229531]: Anonymous TLS connection established from 
unknown[194.169.175.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
(256/256 bits)
milter-geoip[224140]: GEOIP_CHECK: Connection from IP address: 
194.169.175.10 is from UAB-HOSTBALTIC: LT
milter-geoip[224140]: BLACKLIST: Connection (194.169.175.10) is from 
blacklisted ISP UAB-HOSTBALTIC: LT
postfix/smtpd[229531]: NOQUEUE: milter-reject: CONNECT from 
unknown[194.169.175.10]: 550 5.7.1 Command rejected; proto=SMTP
postfix/smtpd[229531]: NOQUEUE: milter-reject: EHLO from 
unknown[194.169.175.10]: 550 5.7.1 Command rejected; proto=SMTP helo=<User>
postfix/smtpd[229531]: lost connection after AUTH from 
unknown[194.169.175.10]
-------------------------------------------------------------------------

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list