For the last couple of months we have been tracking our logs using Vispan with the GeoIP. We can easily see where viruses and spam are coming from and thus draw up a top list of countries. For example, so far this month the top sources of spam have been:
- United States
- Korea, Republic of
- China
- Ireland
- United Kingdom
NB A percentage of these emails would have been tagged as spam even though they are actually viruses as some of the DNSBLs and rulesets will pick up on viral emails
A simple solution to the spams from Asia would be to block those countries completely, however that would cause issues as we have clients who trade actively with those countries.
A better solution is to apply some form of weighting to email from certain countries.
We are based in Ireland, so a large proportion of our clients and their contacts are too, so assigning a certain degree of “trust” to Irish IP space would seem to be a logical step. This does not mean that email from Irish IPs is trusted, however we are going to assume that the likelihood of spam coming from an Irish IP is slightly lower than from a non-Irish IP.
We then take the countries that are most problematic, such as Korea and Hong Kong. All email from those countries is considered untrustworthy and weighted appropriately.
The rest of the world is treated equally.
The results of this scoring can be best illustrated by looking at a couple of border line cases:
Jan 14 22:36:54 av MailScanner[29107]: Message j0EMandY027564 from xxx.xxx.xxx.xxx(xxxxx@xxxxx.ie) to xxxxx.ie is not spam , SpamAssassin (score=7.097, required 7.4, HTML_70_80 0.51, HTML_FONTCOLOR_MAGENTA 1.00, HTML_FONTCOLOR_UNSAFE 1.00, HTML_FONTCOLOR_YELLOW 1.00, HTML_MESSAGE 0.10, HTML_MIME_NO_HTML_TAG 1.00, HTML_SHOUTING4 0.50, HTML_TAG_BALANCE_BODY 0.18, HTML_TAG_BALANCE_TABLE 0.19, HTML_TAG_EXISTS_TBODY 0.10, MIME_BASE64_NO_NAME 1.00, MIME_HTML_ONLY 0.10, RCVD_IN_NERDS_IE -2.00, SARE_HTML_NO_BODY1 1.03, SARE_URI_DIET 1.37)
The header above is from a legitimate health newsletter. The Irish IP that sent it was assigned a negative score (-2) which brought an otherwise false positive safely down below the limit.
On the other side we have an email that would otherwise have got through:
Jan 15 13:39:26 av MailScanner[3774]: Message j0FDcoF8019064 from xxx.xxx.xxx.xxx(xxxx@xxxxx.com) to xxxxx.com is spam, SpamAssassin (score=9.663, required 7.4, RAZOR2_CF_RANGE_51_100 1.00, RAZOR2_CHECK 2.06, RCVD_IN_NERDS_CN 3.50, RCVD_IN_SORBS_DUL 1.00, WS_URI_RBL 2.10)
The email scored against two DNSBLs, but would have only scored 6.1, however the sending IP (from China) pushed it nicely over the limit.
How are the scores assigned?
We use a custom ruleset that polls the IP list provided by http://countries.nerd.dk/
and assigns a score based on the result.
An example score is below:
header __RCVD_IN_NERDS eval:check_rbl(‘nerds’,’zz.countries.nerd.dk.’)
describe __RCVD_IN_NERDS Received from a spam country
tflags __RCVD_IN_NERDS net
header RCVD_IN_NERDS_AR eval:check_rbl_sub(‘nerds’,’127.0.0.32′)
describe RCVD_IN_NERDS_AR Received from Argentina
tflags RCVD_IN_NERDS_AR net
score RCVD_IN_NERDS_AR 2.5
Thanks to a recent thread on the spamassassin users’ list
SpamAssassin
Leave a Reply