I have MagicSpam Pro enabled in cPanel on my web Linux based host, and recently started digging deeper to kill some of the spam that is still getting through. Specifically, I have started reviewing the HAM logs for the biggest offenders and putting their IP's in the "ip_blacklist.lst" file. I have noticed that the worst offenders have multiple sequential IP's from a common subnet.
<b>Is there any way to block an entire subnet in the list (using wildcards, for example?)</b> I would love to just be able to enter "128.177.127.*" as opposed to having to enter each individual IP and hoping the spammer eventually runs out of IP's.
Blocking an IP range / subnet in ip_blacklist.lst?
Re: Blocking an IP range / subnet in ip_blacklist.lst?
Hello djwljr,
Thank you for your post and your question. Currently we do not support IP ranges or networks in our exemption lists. However this is a frequently sought after feature and we have passed on this information to our development team for review.
We might suggest taking some of these "worst offender" IP addresses and checking to see if they are on any reputation lists (http://www.linuxmagic.com/products/bms/). Then, if you notice many IP addresses are on the same list, you might consider enabling that list in MagicSpam. This way you can address the spam issue without having to chase around IP addresses trying to blacklist them all (a very work-intensive and never-ending process).
Thank you for supporting Magicspam!
-- MagicSpam Support Team --
Thank you for your post and your question. Currently we do not support IP ranges or networks in our exemption lists. However this is a frequently sought after feature and we have passed on this information to our development team for review.
We might suggest taking some of these "worst offender" IP addresses and checking to see if they are on any reputation lists (http://www.linuxmagic.com/products/bms/). Then, if you notice many IP addresses are on the same list, you might consider enabling that list in MagicSpam. This way you can address the spam issue without having to chase around IP addresses trying to blacklist them all (a very work-intensive and never-ending process).
Thank you for supporting Magicspam!
-- MagicSpam Support Team --
Re: Blocking an IP range / subnet in ip_blacklist.lst?
Thank you for the followup and the information.
Based on your advice, I started spot checking IP's against the reputation lists that I had manually blocked, that were getting through. So far, all of the IP's that I have checked are already on at least one list that I already have enabled in MagicSpam Pro.
Which beings me to the following questions (I understand some of these are probably questions for the list maintainers themselves):
1. Is there something I or my hosting company needs to do to ensure their reputation lists are "up-to-date"? (Does MagicSpam Pro have to be manually updated to ensure it is using the latest lists, or does it pull from the list maintainers in "real time"? )
2. Secondly, how do these reputation lists get updated? What is the process? What is the typical delay between when spam is sent from a new IP and when it gets added to a list?
3. Finally, do reputation list maintainers automatically list entire IP ranges (assuming the spammer sends multiple emails from multiple IP addresses in a range,) or is it always a single listing per IP?
Thanks in advance for answering my questions!
Based on your advice, I started spot checking IP's against the reputation lists that I had manually blocked, that were getting through. So far, all of the IP's that I have checked are already on at least one list that I already have enabled in MagicSpam Pro.
Which beings me to the following questions (I understand some of these are probably questions for the list maintainers themselves):
1. Is there something I or my hosting company needs to do to ensure their reputation lists are "up-to-date"? (Does MagicSpam Pro have to be manually updated to ensure it is using the latest lists, or does it pull from the list maintainers in "real time"? )
2. Secondly, how do these reputation lists get updated? What is the process? What is the typical delay between when spam is sent from a new IP and when it gets added to a list?
3. Finally, do reputation list maintainers automatically list entire IP ranges (assuming the spammer sends multiple emails from multiple IP addresses in a range,) or is it always a single listing per IP?
Thanks in advance for answering my questions!
Re: Blocking an IP range / subnet in ip_blacklist.lst?
Hello djwljr,
Thanks for your reply and for your questions. Unfortunately, the answers to your questions almost all start with "it depends", but we will try to give you some good answers.
In addition to the IP reputation, this is where the SMTP rules really come into play. You are probably using our recommended set for now, which is usually very safe and very effective, but you may want to look into enabling additional rules.
Thanks again for your post and for your questions! If you need any help with the SMTP policy rules, please let us know and we can provide some suggestions.
--MagicSpam Support Team --
Thanks for your reply and for your questions. Unfortunately, the answers to your questions almost all start with "it depends", but we will try to give you some good answers.
You don't need to do anything, this is handled by MagicSpam automatically. Note that MagicSpam uses BMS (http://www.linuxmagic.com/products/bms/) optimized reputation lists in order to give you better performance; but this does mean that the BMS lists do need to come from our servers. Most of the time this isn't a problem, but we are interested in hearing about cases were it could be causing issues for our customers (perhaps this is one of those cases).1. Is there something I or my hosting company needs to do to ensure their reputation lists are "up-to-date"? (Does MagicSpam Pro have to be manually updated to ensure it is using the latest lists, or does it pull from the list maintainers in "real time"? )
As mentioned, this is handled by MagicSpam automatically and your server will download fresh BMS lists four times per day (if there is an update to the list). Any delay would simply be a case of bad timing. A worst-case example would be if your server just downloaded a fresh BMS list and then a new outbreak occurred immediately after this.2. Secondly, how do these reputation lists get updated? What is the process? What is the typical delay between when spam is sent from a new IP and when it gets added to a list?
In addition to the IP reputation, this is where the SMTP rules really come into play. You are probably using our recommended set for now, which is usually very safe and very effective, but you may want to look into enabling additional rules.
This one is unfortunately outside of our control, and therefor it really depends on what each of the list maintainers is doing. Many of them stick to single IP address listings, but we do see cases where if the large majority of a subnet was sending spam the list maintainer may decide to list that entire subnet.3. Finally, do reputation list maintainers automatically list entire IP ranges (assuming the spammer sends multiple emails from multiple IP addresses in a range,) or is it always a single listing per IP?
Thanks again for your post and for your questions! If you need any help with the SMTP policy rules, please let us know and we can provide some suggestions.
--MagicSpam Support Team --
Re: Blocking an IP range / subnet in ip_blacklist.lst?
Thank you very much for the detailed and timely response!
For the record I don't necessarily think that my web host is caching the lists, but that is why I asked about how that works, whether the list maintainers blocking IP ranges versus individual IPs, and the delays between spam being sent, reported, listed, and blocked, etc.
I suspect the spam that is getting through is very likely from previously unused or unlisted IPs in a consecutive range that the spammers set up and then burn through before moving to a new IP range. Those IPs do get added to the reputation lists, but by then at least some spam has already been delivered.
My rampage against spam (my "spamprage?...my "sprampage?") has been nothing if not educational.
Thanks again for the info!
For the record I don't necessarily think that my web host is caching the lists, but that is why I asked about how that works, whether the list maintainers blocking IP ranges versus individual IPs, and the delays between spam being sent, reported, listed, and blocked, etc.
I suspect the spam that is getting through is very likely from previously unused or unlisted IPs in a consecutive range that the spammers set up and then burn through before moving to a new IP range. Those IPs do get added to the reputation lists, but by then at least some spam has already been delivered.
My rampage against spam (my "spamprage?...my "sprampage?") has been nothing if not educational.
Thanks again for the info!
Who is online
Users browsing this forum: No registered users and 4 guests