At a bare minimum, do the same blocking for AWS. The jq program mentioned on the page works great.
http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
I block the cloud services as they hack me. There aren't many left that I haven't seen. Sadly my VPS, Digital Ocean, has an email hacker that I just can't get DO to shut down. I assure you I'm costing them plenty in tech support. You can do a search on stretchoid.com if you want to learn more about the offender.
I have an additional list of EDU ip addresses that probably are doing research, but won't let me opt out.
bgp.he.net is one way to get IP space listings.
Original Message From: lists@merit.unu.edu Sent: July 29, 2017 11:39 AM To: dovecot@dovecot.org Subject: Re: under another kind of attack
On 07/29/2017 07:44 PM, Doug Barton wrote:
On 07/25/2017 07:54 AM, mj wrote:
Since we implemented country blocking,
Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult.
Perhaps I need to be more specific:
I block certain countries from accessing imap/smtp directly, as that is where all the botnets seem to be trying their passwords.
I do not block entire countries from accessing us completely (the hammer) but rather block their access of imap and smtp for my mailserver. (this is what I like to see as a precision tool)
For the record I improved my iptables rules a lot compared to the mail you replied to. I am now using a chain, like this:
$IPTABLES -N filter_countries $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP
and then:
$IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries $IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countries
This makes it a lot more efficient, compared to the (many) rules I was using earlier.
MJ