1

Topic: Blacklisting by CIDR Network Problems

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3
- Deployed with iRedMail Easy or the downloadable installer?  Downloadable Installer
- Linux/BSD distribution name and version: Debian 10.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Y
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have multiple CIDR Network blocks set up in my blacklist.

173.232.33.0/24  is working.
50.2.209.0/24 is not.   

I have to manually put in entries such as

50.2.209.156
50.2.209.164

The only thing that I can see obviously is that 50.0.0.0  is a class A network and 173.232.33.0 is a class C.  Since network classes are pretty much a thing of the past and only subnet masks really matter anymore, I doubt whether this is related, but it's the only thing I can see which could possibly be relevant.

I can see in my admin panel where specific IPs such as 50.2.209.156 are blocking.   Class C networks are blocking.   50.2.209.0/24 is not blocking.

Any ideas?

2

Re: Blacklisting by CIDR Network Problems

Let me update the above information.

It looks like CIDR Network blocks were only working prior to updating my system yesterday.  My block on 170.130.68.0/24 is failing and I'm having to put each individual IP in manually as the spammer keeps changing their network addresses.  In the last few hours, I've had to add 170.130.68.10,  .16,  .4 and .6 when before it was enough to block the subnet.

3

Re: Blacklisting by CIDR Network Problems

Where do you put this blacklist?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

4

Re: Blacklisting by CIDR Network Problems

I was putting the blacklist in iRedAdmin-Pro console -> System -> Whitelists & Blacklists in the section labelled "For Inbound Mails" in the box "Blacklisted senders".  Single IP entries work.   CIDR Network entries are being ignored since the last upgrade.  I'm not policing my logs like I used to when I was using iRedMail to manage 20+ domains for a few hundred users.  It's possible that CIDR network addresses broke at some other point in time.  I know they used to work reliably when configured inside iRedAdmin-Pro.

I gave up using iRedAdmin Pro to manage the blocked addresses and about a week ago I created cidr:/etc/postfix/blacklist and now I'm handling it there.  No problem with CIDR network blocks at the Postfix level.

I have one spammer who is regularly changing their hostname and IP address using an identifiable pattern.

The server names always match *.webstudio*.com and they stay with the same hosting provider and in the same network address ranges.  iRedAdmin-Pro couldn't handle the hostname pattern changes, but it used to be trivial to block their network.

I notice in my logs that most recently they're sending mail from <mail-a.webstudioninetysix.com[170.130.68.88]>

It would be nice if the regex/wildcard for iRedAdmin-Pro could handle this sort of domain block pattern, but I suspect this is a one-off and not typical of most spammers.

5

Re: Blacklisting by CIDR Network Problems

drak wrote:

It's possible that CIDR network addresses broke at some other point in time.  I know they used to work reliably when configured inside iRedAdmin-Pro.

Would you mind sharing this CIDR network address you put in iRedAdmin-Pro? also give me one or few real IP addresses for validation.

drak wrote:

The server names always match *.webstudio*.com and they stay with the same hosting provider and in the same network address ranges.  iRedAdmin-Pro couldn't handle the hostname pattern changes, but it used to be trivial to block their network.

iRedAdmin-Pro stores these blacklists in SQL db, it's not ideal to store those patterns with "*". The more wild match rule you add, the slower (SQL) performance you get while performing such check.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

6

Re: Blacklisting by CIDR Network Problems

All of the addresses I've listed in my two posts above are real.

Here are some addresses that I'm actively seeing blocked in my logs from this same spammer.

170.130.68.116
170.130.68.122
170.130.68.106
170.130.68.110
170.130.68.114
170.130.16.20
170.130.16.32
170.130.16.28
170.130.16.30
170.130.16.34

7

Re: Blacklisting by CIDR Network Problems

Hi,
Just an idea - I'll block IP addresses  with/without CIDR in my (hardware)firewall and domains in iRedMails blacklist.

8

Re: Blacklisting by CIDR Network Problems

I'm not having any problem with network blocks handling them directly with a Postfix CIDR: map.  It's actually faster for me to connect to my server via SSH  and update the .map file than to log into iRedAdmin.   I was really just reporting this as a general bug for investigation.

Thanks for the input.

9

Re: Blacklisting by CIDR Network Problems

I did a quick test with the CIDR network ("50.2.209.0/24") and IP addresses (50.2.209.156, 50.2.209.164), both are correctly blacklisted.

- Which iRedAPD release are you running? Please show us output of command "ls -dl /opt/iredapd".
- Which iRedAdmin-Pro release are you running?

In your 3rd reply, you mentioned " Single IP entries work.   CIDR Network entries are being ignored since the last upgrade."
Do you mean that the CIDR network was not saved by iRedAdmin-Pro at all?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

10

Re: Blacklisting by CIDR Network Problems

ZhangHuangbin wrote:

I did a quick test with the CIDR network ("50.2.209.0/24") and IP addresses (50.2.209.156, 50.2.209.164), both are correctly blacklisted.

- Which iRedAPD release are you running? Please show us output of command "ls -dl /opt/iredapd".
- Which iRedAdmin-Pro release are you running?

In your 3rd reply, you mentioned " Single IP entries work.   CIDR Network entries are being ignored since the last upgrade."
Do you mean that the CIDR network was not saved by iRedAdmin-Pro at all?

iRedAPD-4.0
iRedAdmin-Pro 4.5 (LDAP)

The CIDR network blocks were saved by iRedAdmin Pro, but they seemed to be ignored.

11

Re: Blacklisting by CIDR Network Problems

Could you please upgrade to iRedAPD-4.3 and try again?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee