There is an RBL, zz.countries.nerd.dk, which will return a code based on country of origin - or if you substitute a country code (eg uk.countries.nerd.dk) it will return 127.0.0.1 if the host "belongs" to that country; it can be used to load the final RBL score for an individual country. I don't know how robust these people are, but they are certainly sufficient for a domestic server.
Currently, I am using a CIDR access-control-list to block (in PostScreen) hosts from certain "nuisance" countries. A weekly script derives the netblocks from the zone lists published by http://www.ipdeny.com Allen C On 30/05/2019 21:40, Charles Sprickman wrote: > Hi David (and re-adding the list in case we say something interesting), > > “Snowshoe spam”, as I understand it is basically a spammer sending batches > from a list of “clean” IPs - not too many emails per IP, but lots of hosts to > send from. By the time an IP is blacklisted, it’s already done spamming. > > Another theory I have is these folks work alphabetically, as the client I > have the most issues with has a domain starting with “b” and they just see > way more spam. Could just be random, or that it’s a very old domain (20+ > years). > > Anyhow, I have my own list of hosting operations that seem to just keep being > used for this and I’d like to start them off at 4-5 points in my postscreen > config. > > My typical filtering setup is Postscreen with a bunch of RBLs, and generally > I need 3-4 of the reliable RBLs to hit a sending IP before it hits the > threshold. After that, the mail moves to SpamAssassin. It scores most of the > missed emails around 2-3 points, almost exclusively via Bayes. > > Thanks, > > Charles > >> On May 20, 2019, at 8:49 PM, David Mehler <dave.meh...@gmail.com> wrote: >> >> Hello, >> >> I don't know about the netblocks your looking for, but what is >> snowshoe spam? What does your spam blocking configuration look like? I >> can send you mine if you think it would help. >> >> Dave. >> >> >> On 5/20/19, Charles Sprickman <c...@morefoo.com> wrote: >>> Hi all, >>> >>> I was looking through a few lists of RBLs and I’m not finding quite what I >>> want. >>> >>> I have quite a bit of my spam blocking working fairly well, but I’m seeing >>> quite a bit of “snowshoe spam” from a few providers. Rather than look up >>> their netblocks and outright block them, I’d like to incorporate them into >>> the postscreen scoring process. As time goes on, I’m sure I’ll find others, >>> but I do see ColoCrossing and Limestone Networks as pretty consistent >>> sources. >>> >>> Are there any RBLs that exclusively deal with blocking by netblock/owner >>> that I’m missing? Or am I better off just setting up a local RBL with the >>> things I want to cover? And while I’m asking, any interesting RBLs you >>> folks use that are based on non-standard criteria (country-based RBLs, lists >>> of RFC-ignorant hosts, etc.)? >>> >>> Thanks, >>> >>> Charles > >
