Blocking an IP range / subnet in ip_blacklist.lst?

This is the area for a general support questions, discussions and information that you can read and share. Post your experiences, stats and tricks and tips that are not covered elsewhere. Remember, for questions please search the FAQ first, as your question may already be answered.

Moderators: wizard, magicspam

Post Reply
djwljr
Posts: 3
Joined: Tue Jun 16, 2015 6:18 am

Blocking an IP range / subnet in ip_blacklist.lst?

Post by djwljr » Tue Jun 16, 2015 6:53 am

I have MagicSpam Pro enabled in cPanel on my web Linux based host, and recently started digging deeper to kill some of the spam that is still getting through. Specifically, I have started reviewing the HAM logs for the biggest offenders and putting their IP's in the "ip_blacklist.lst" file. I have noticed that the worst offenders have multiple sequential IP's from a common subnet.

<b>Is there any way to block an entire subnet in the list (using wildcards, for example?)</b> I would love to just be able to enter "128.177.127.*" as opposed to having to enter each individual IP and hoping the spammer eventually runs out of IP's.

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Blocking an IP range / subnet in ip_blacklist.lst?

Post by magicspam » Tue Jun 16, 2015 8:53 am

Hello djwljr,

Thank you for your post and your question. Currently we do not support IP ranges or networks in our exemption lists. However this is a frequently sought after feature and we have passed on this information to our development team for review.

We might suggest taking some of these "worst offender" IP addresses and checking to see if they are on any reputation lists (http://www.linuxmagic.com/products/bms/). Then, if you notice many IP addresses are on the same list, you might consider enabling that list in MagicSpam. This way you can address the spam issue without having to chase around IP addresses trying to blacklist them all (a very work-intensive and never-ending process).

Thank you for supporting Magicspam!

-- MagicSpam Support Team --

djwljr
Posts: 3
Joined: Tue Jun 16, 2015 6:18 am

Re: Blocking an IP range / subnet in ip_blacklist.lst?

Post by djwljr » Wed Jul 29, 2015 6:31 am

Thank you for the followup and the information.

Based on your advice, I started spot checking IP's against the reputation lists that I had manually blocked, that were getting through. So far, all of the IP's that I have checked are already on at least one list that I already have enabled in MagicSpam Pro.

Which beings me to the following questions (I understand some of these are probably questions for the list maintainers themselves):

1. Is there something I or my hosting company needs to do to ensure their reputation lists are "up-to-date"? (Does MagicSpam Pro have to be manually updated to ensure it is using the latest lists, or does it pull from the list maintainers in "real time"? )

2. Secondly, how do these reputation lists get updated? What is the process? What is the typical delay between when spam is sent from a new IP and when it gets added to a list?

3. Finally, do reputation list maintainers automatically list entire IP ranges (assuming the spammer sends multiple emails from multiple IP addresses in a range,) or is it always a single listing per IP?

Thanks in advance for answering my questions!

magicspam
Posts: 1563
Joined: Tue Oct 28, 2008 2:27 pm

Re: Blocking an IP range / subnet in ip_blacklist.lst?

Post by magicspam » Thu Jul 30, 2015 10:54 am

Hello djwljr,

Thanks for your reply and for your questions. Unfortunately, the answers to your questions almost all start with "it depends", but we will try to give you some good answers.
1. Is there something I or my hosting company needs to do to ensure their reputation lists are "up-to-date"? (Does MagicSpam Pro have to be manually updated to ensure it is using the latest lists, or does it pull from the list maintainers in "real time"? )
You don't need to do anything, this is handled by MagicSpam automatically. Note that MagicSpam uses BMS (http://www.linuxmagic.com/products/bms/) optimized reputation lists in order to give you better performance; but this does mean that the BMS lists do need to come from our servers. Most of the time this isn't a problem, but we are interested in hearing about cases were it could be causing issues for our customers (perhaps this is one of those cases).
2. Secondly, how do these reputation lists get updated? What is the process? What is the typical delay between when spam is sent from a new IP and when it gets added to a list?
As mentioned, this is handled by MagicSpam automatically and your server will download fresh BMS lists four times per day (if there is an update to the list). Any delay would simply be a case of bad timing. A worst-case example would be if your server just downloaded a fresh BMS list and then a new outbreak occurred immediately after this.
In addition to the IP reputation, this is where the SMTP rules really come into play. You are probably using our recommended set for now, which is usually very safe and very effective, but you may want to look into enabling additional rules.
3. Finally, do reputation list maintainers automatically list entire IP ranges (assuming the spammer sends multiple emails from multiple IP addresses in a range,) or is it always a single listing per IP?
This one is unfortunately outside of our control, and therefor it really depends on what each of the list maintainers is doing. Many of them stick to single IP address listings, but we do see cases where if the large majority of a subnet was sending spam the list maintainer may decide to list that entire subnet.

Thanks again for your post and for your questions! If you need any help with the SMTP policy rules, please let us know and we can provide some suggestions.
--MagicSpam Support Team --

djwljr
Posts: 3
Joined: Tue Jun 16, 2015 6:18 am

Re: Blocking an IP range / subnet in ip_blacklist.lst?

Post by djwljr » Thu Jul 30, 2015 12:33 pm

Thank you very much for the detailed and timely response!

For the record I don't necessarily think that my web host is caching the lists, but that is why I asked about how that works, whether the list maintainers blocking IP ranges versus individual IPs, and the delays between spam being sent, reported, listed, and blocked, etc.

I suspect the spam that is getting through is very likely from previously unused or unlisted IPs in a consecutive range that the spammers set up and then burn through before moving to a new IP range. Those IPs do get added to the reputation lists, but by then at least some spam has already been delivered.

My rampage against spam (my "spamprage?...my "sprampage?") has been nothing if not educational.

Thanks again for the info!

Post Reply

Return to “General Discussions and Support Questions”

Who is online

Users browsing this forum: No registered users and 1 guest