How do I import a boatload of IP addresses for blacklisting? [message #145326] |
Sat, 23 March 2019 01:05  |
SenseiNYC
Messages: 3 Registered: March 2019
|
|
|
|
I have over 1,000 IPv4 blocks that I want to block. Various blocks from all over the world. About 16,000 IP v4 blocks in total. I really do not want to add each one manually and honestly that would be ridiculous to have to do so. I see there is no way to import a list of IPv4 blocks such as:
42.2.0.0/8
153.21.0.0/16
Again, we are talking a few THOUSAND IPv4 blocks. I tried browsing around the Kerio installation folder to hopefully find the file which the blacklist configuration is located, no such luck.
Helpful suggestions welcomed. Thanks.
|
|
|
|
|
Re: How do I import a boatload of IP addresses for blacklisting? [message #145344 is a reply to message #145341] |
Mon, 25 March 2019 17:31   |
Maerad
Messages: 275 Registered: August 2013
|
|
|
|
SenseiNYC wrote on Mon, 25 March 2019 13:17I am currently using my firewall to do the task but that is not the point. I am asking about doing it in Kerio and alleviating the stress from the firewall. The firewall can only REJECT, i want all IP blocks in the list to mark/tag - not block them. This is why I need it on Kerio, not thee firewall.
With all due respect, but the mailserver will be more under fire with something like this like your firewall. And if the firewall has a problem with rejecting 42.2.0.0/8, 153.21.0.0/16 in terms of performance, you should really get a new one. Hell, even a Raspi with pfsense would idle with a simple task like that.
If you REALLY want to do this with kerio, you add a new group under "IP Adress groups" and below the new group you can add IP adress ranges like 42.2.0.1-42.2.255.254 for 42.2.0.0/8 or as mask with network 42.2.0.0 with Netmask 255.0.0.0 (that's /8)
In the tab Spamfilter you select under Blacklist "Use IP Adress Group" and select the new group you have added. That way you can add multiple IP ranges to one group to be blocked.
But like I said - this is something that should be done in the firewall and NOT in the mailserver. I mean, it should be possible to add a filter in the firwall logs to see those adress ranges being rejected or?
EDIT:
Damn, I just discovered you wanna add 4k of subnets like that, misread that. Dude. Honestly. No. Just No. What are those subnets? From a spamlist? Use Kerios Spamfilter with Spamcop etc. If it's geoIP blocking - do that in the firewall and use it with automatic updates.
Kerio will do a Spamlookup EVERYTIME there is a mail transfered! And if needs to lookup a fucking huge IP address file for that. THAT will be funny. Even more so, if the process is locked to one core/thread. This HAS to be done on firewall level! Get PFSense as firewall, add suricata for additional protection and pfBlockerNG for GeoIP and whatever blocking. Really.
Another solution would be a spamfilter proxy set before kerio connect. Those are made to handle something like you want and add additional headers to mails to let kerio do an additional rule. I believe Kerio can also do it, but the performance impact would be really bad. I know what you're trying to do, but as long kerio has no option like that, it's also not tailored for it. Like geoIP blocking/spam tag increase if it's .ru .ga or whatever.
If you really wanna try it, open the mailserver.cfg and add those with the lines under
<list name="IpAccessList">
<listitem>
<variable name="Name">Local clients</variable>
... and so on. Add the groups like I said and do a copy/paste to create the addtional lines with excel or whatever you can use for that task. But this WILL blow up you mailserver.cfg and most likely kick the server in the nuts. It's simply not made for this kind of work. You can block some specific addresses, but I'm sure they never made it for like 200 million ip addresses. That's also why there is no import feature.
[Updated on: Mon, 25 March 2019 17:55] Report message to a moderator
|
|
|
Re: How do I import a boatload of IP addresses for blacklisting? [message #145597 is a reply to message #145344] |
Fri, 19 April 2019 19:40   |
SenseiNYC
Messages: 3 Registered: March 2019
|
|
|
|
We are using a Netgate XG7100-1U (pfSense) currently with pfBlocker and still some things do slip through the cracks. We wish to load a few hundred to a few thousand blocks so your suggestion won't work. THe customer is a small private hospital and there are only specific places that email should be coming in from. This is why we wish to block out as much trash as possible.
|
|
|
|
|