[BlueOnyx:24383] 5209R/5210R AV-SPAM Update

Michael Stauber mstauber at blueonyx.it
Wed Oct 14 00:30:58 -05 2020 

Hi all,

Just a small heads up to AV-SPAM users:

The AV-SPAM for 5209R and 5210R has an update available on NewLinQ.

In the "AV-SPAM" / "GeoIP" tab you'll now find a switch to enable "IP
Address bans" and there is also a form field where you can enter IP
address ranges that you want to block from accessing your MTA.

It works like this: If an IP address connects to your MTA (Sendmail or
Postfix) that's in one of the blocked ranges, then the MTA will reject
all commands. Neither SMTP-Auth or email delivery or relaying or any
other MTA related transaction will be allowed for that IP.

Before you ask: Yes, you could also create firewall rules to achieve the
same purpose, but I always thought this was an option that a sensible
MTA should have: Bans by IP or entire Networks.

Likewise, the existing GeoIP related function "Block Blacklist entirely"
now works in the same fashion and blocks ALL access. In the past it only
blocked incoming emails from blacklisted countries. Now it blocks all
MTA accesses from said countries instead.

If you for example tick the checkbox "IR" (Iran) in your GeoIP Blacklist
on that GUI page, then any SMTP related connection (including SMTP-Auth)
from an IP known to be in Iran will be blocked. Of course the (free)
GeoIP database isn't entirely accurate, but it sure helps to tone down
the crescendo of brute force login attempts against SMTP once you put a
whole bunch third world countries onto the blacklist.

The "WHOIS checks" feature has also been backported from the 5210R
AV-SPAM to the 5209R AV-SPAM.

This serves two purposes:

1) "Block fresh WHOIS" (optional): If an email is from a domain that's
newer than 7 days (or had a WHOIS update in the last 7 days), then you
can reject the email at the MTA level if this option is ticked. Only
works for certain registrars. This feature was added to deal with large
SPAM farms that use the GoDaddy or Tucows API to quickly rotate domains
to different DNS servers and IPs to evade IP address blocks and RBL
blacklisting.

2.) "Block national TLDs": If you use the GeoIP feature to block certain
countries, then (if this checkbox is ticked) emails from the
top-level-domain of that country can also be rejected at the MTA level.
Example: You have "RU" (Russia) blocked, but someone uses a server in
the US to send you an email from a *.ru domain or uses an email address
with a *.ru domain. That would normally pass the GeoIP check as it
didn't originate from a Russian IP. But now it'll get blocked based on
the *.ru TLD.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list