Best practice to block an IP or Network?

Sep 17, 2020
315
20
38
Hello,

I added a who->blacklist->IP-Network-> and the offenders IP Block.
I am still receiving messages from that IP range are still being delivered (quarantined) I want to simply reject them.

Now this may also involve rules.

We have our blacklist rule blocking "what objects", I went in there and also added "blacklist" so it appears like I will block from both lists.
Previously it was only "what objets" could this by why it only got quarrantined?
And does this work, putting to sets of criteria in the blacklist rule and if so, does order make a difference?

Thanks
 
Last edited:
Does it work by set IP 23.247.5.210 instead of range?
I would suggest to create individual rules for who and what object for easy trouble shooting.

Instead of filtering via IP, you can create who object for top level domain with regex. Just block/quarantine all *.top domain is an option.

1603244555600.png
 
Last edited:
The problem is that they send from literally hundreds of domains, but from the same servers.
Wow, creating all those regex is just too much work for something that should work as it says block network.
I may end up tweaking code and simply use iptables.
Its disappointing that I'm not seeing the blocks of these different things between domains and IP's, its feeling like nothing more than postfix with RBL's.

This is why I keep asking and trying to make sure I'm doing what the manual and the options show as the right approach.


Also, do you happen to know this from above:
"We have our blacklist rule blocking "what objects", I went in there and also added "blacklist" so it appears like I will block from both lists.
Previously it was only "what objets" could this by why it only got quarrantined?
And does this work, putting to sets of criteria in the blacklist rule and if so, does order make a difference?"

Thanks for your help!!!!
 
Spam filtering/fighting is not easy. As you said there is hundred/thousand of domains/mail servers/IPs that is capable of sending spam mails.
You will always need to update/maintain your spam filtering lists/rules regularly.

Code:
There are different types of spam filters for different criteria:
    Content filters – parse the content of messages, scanning for words that are commonly used in spam emails.
    Header filters – examine the email header source to look for suspicious information (such as spammer email addresses).
    Blocklist filters – stop emails that come from a blocklist of suspicious IP addresses. Some filters go further and check the IP reputation of the IP address.
    Rules-based filters – apply customized rules designed by the organization to exclude emails from specific senders, or emails containing specific words in their subject line or body.
 
Here is the rules, the who and a sample header....
Thanks
could you also post the (unchanged) logs for this mail from PMG (if possible as plain text in code tags) - on first sight it looks like the rule should have blocked the mail (if it arrived on the external port)
 
@Stoiko Ivanov The headers ONLY have the recipients email address changed.
I'm guessing your asking for a piece of mail.log, is there a way to provide it unedited to you, without sharing it on the list?

It would be a lot of informaiton to change so that you can see the 30 seconds snapshot of the log.

connect line from mail.log
Oct 20 20:25:32 mgw postfix/postscreen[30455]: CONNECT from [23.247.5.210]:44479 to [mgw IP]:25

Based on what I'm seeing in documentation, both for domain/email and ip blocking, I'm not feeling like I'm being successful.

Thanks
 
Last edited:
Spam filtering/fighting is not easy. As you said there is hundred/thousand of domains/mail servers/IPs that is capable of sending spam mails.
You will always need to update/maintain your spam filtering lists/rules regularly.

Code:
There are different types of spam filters for different criteria:
    Content filters – parse the content of messages, scanning for words that are commonly used in spam emails.
    Header filters – examine the email header source to look for suspicious information (such as spammer email addresses).
    Blocklist filters – stop emails that come from a blocklist of suspicious IP addresses. Some filters go further and check the IP reputation of the IP address.
    Rules-based filters – apply customized rules designed by the organization to exclude emails from specific senders, or emails containing specific words in their subject line or body.
Yes, I agree I have been doing this on regular centos/postfix servers for over 20 years, but in postfix I know what file to add certain items to block, I can add iptables rules to block IP's etc.

Here I'm trying to have the nice functionality of the GUI, and be able to say, block IP address X and simply have it work.

I was hoping not to start building as an example my iptables scripts and such to start blocking a list of IP's, but to allow anyone on the it team to easily add something without having to learn every aspect of how we did something via the GUI.
 
Last edited:
So far PMG's mail filtering feature is very good and able to filter most of the email header field for me.
There still lack some extra feature like UTF-8 support and body filtering but I think I can use spamassassin custom rule to filter it too.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!