under another kind of attack

[Gary Sellani]

At a bare minimum, do the same blocking for AWS. The jq program mentioned on the page works great.

http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

I block the cloud services as they hack me. There aren't many left that I haven't seen. Sadly my VPS, Digital Ocean, has an email hacker that I just can't get DO to shut down. I assure you I'm costing them plenty in tech support. You can do a search on stretchoid.com if you want to learn more about the offender. 

I have an additional list of EDU ip addresses that probably are doing research, but won't let me opt out.

bgp.he.net is one way to get IP space listings.  

  Original Message  
From: lists at merit.unu.edu
Sent: July 29, 2017 11:39 AM
To: dovecot at dovecot.org
Subject: Re: under another kind of attack



On 07/29/2017 07:44 PM, Doug Barton wrote:
> On 07/25/2017 07:54 AM, mj wrote:
>> Since we implemented country blocking,
> 
> Please don't do that. Balkanizing the Internet doesn't really benefit 
> anyone, and makes innovation a lot more difficult.

Perhaps I need to be more specific:

I block certain countries from accessing imap/smtp directly, as that is 
where all the botnets seem to be trying their passwords.

I do not block entire countries from accessing us completely (the 
hammer) but rather block their access of imap and smtp for my 
mailserver. (this is what I like to see as a precision tool)

For the record I improved my iptables rules a lot compared to the mail 
you replied to. I am now using a chain, like this:

> $IPTABLES -N filter_countries
> $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP
> $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP

and then:

> $IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries
> $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries
> $IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countries

This makes it a lot more efficient, compared to the (many) rules I was 
using earlier.

MJ