develooper Front page | perl.qpsmtpd | Postings from June 2012

geoip plugin & SNARE

From:
Matt Simerson
Date:
June 6, 2012 13:21
Subject:
geoip plugin & SNARE
Message ID:
7301B22A-7BAB-4C43-AAA9-56503ABDE55B@tnpi.net

On Jun 5, 2012, at 12:38 AM, Matt Simerson wrote:

> On Jun 4, 2012, at 2:56 PM, Stevan Bajić wrote:
> 
>> - If it is important to you then doing something like GeoIP lookups could be interesting for certain users (either to block or whitelist based on continent, region, country). I usually use that data to compute the distance between me and the sender. The bigger the distance is the more likely it is spam (search for SNARE if you need a research paper on that topic).

> SNARE:  http://smartech.gatech.edu/bitstream/handle/1853/25135/GT-CSE-08-02.pdf?sequence=1
> 
> Their findings echo what I see in my logs. Windows PCs sending email to my server from outside my country have a 95% chance of being spam. The problem I see with SNARE is the way-too-high  7% false positive rate. It's useful information, but not something that can be used to reject the connection. On its own. But you can use the data to make the sender jump through extra hoops.


I'm not sure how useful it will be, but the geoip plugin now calculates geodesic distance. 

Matt

https://github.com/smtpd/qpsmtpd/pull/28


NAME
       geoip - provide geographic information about mail senders.

SYNOPSIS
       Use MaxMind's GeoIP databases and the Geo::IP perl module to report
       geographic information about incoming connections.

DESCRIPTION
       This plugin saves geographic information in the following connection
       notes:

         geoip_country      - 2 char country code
         geoip_country_name - full english name of country
         geoip_continent    - 2 char continent code
         geoip_distance     - distance in kilometers

       And adds entries like this to your logs:

         (connect) ident::geoip: US, United States, NA,    1319 km
         (connect) ident::geoip: IN, India, AS,    13862 km
         (connect) ident::geoip: fail: no results
         (connect) ident::geoip: CA, Canada, NA,   2464 km
         (connect) ident::geoip: US, United States, NA,    2318 km
         (connect) ident::geoip: PK, Pakistan, AS,    12578 km
         (connect) ident::geoip: TJ, Tajikistan, AS,  11965 km
         (connect) ident::geoip: AT, Austria, EU,     8745 km
         (connect) ident::geoip: IR, Iran, Islamic Republic of, AS,   12180 km
         (connect) ident::geoip: BY, Belarus, EU,     9030 km
         (connect) ident::geoip: CN, China, AS,   11254 km
         (connect) ident::geoip: PA, Panama, NA,  3163 km

       Calculating the distance has three prerequsites:

         1. The MaxMind city database (free or subscription)
         2. The Math::Complex perl module
         3. The IP address of this mail server (see CONFIG)

       Other plugins can utilize the geographic notes to alter the connection,
       reject, greylist, etc.

CONFIG
       The following options can be appended in this plugins config/plugins
       entry.

   distance <IP Address>
       Enables geodesic distance calculation. Will calculate the distance "as
       the crow flies" from the remote mail server. Accepts a single argument,
       the IP address to calculate the distance from. This will typically be
       the public IP of your mail server.

         ident/geoip [ distance 192.0.1.5 ]

       Default: none. (no distance calculations)

   db_dir </path/to/GeoIP>
       The path to the GeoIP database directory.

         ident/geoip [ db_dir /etc/GeoIP ]

       Default: /usr/local/share/GeoIP

LIMITATIONS
       The distance calculations are more concerned with being fast than
       accurate.  The MaxMind location data is collected from whois and is of
       limited accuracy.  MaxMind offers more accurate data for a fee.

       For distance calculations, the earth is considered a perfect sphere. In
       reality, it is not. Accuracy should be within 1%.

       This plugin does not update the GeoIP databases. You may want to.

CHANGES
       2012-06 - Matt Simerson - added GeoIP City support, continent, distance

       2012-05 - Matt Simerson - added geoip_country_name note, added tests

SEE ALSO
       MaxMind: http://www.maxmind.com/

       Databases: http://geolite.maxmind.com/download/geoip/database

       It may become worth adding support for Geo::IPfree, which uses another
       data source: http://software77.net/geo-ip/

ACKNOWLEDGEMENTS
       Stevan Bajic, the DSPAM author, who suggested SNARE, which describes
       using geodesic distance to determine spam probability. The research
       paper on SNARE can be found here:
       http://smartech.gatech.edu/bitstream/handle/1853/25135/GT-CSE-08-02.pdf



`````````````````````````````````````````````````````````````````````````
  Matt Simerson                   http://matt.simerson.net/
  Systems Engineer            http://www.tnpi.net/

  Mail::Toaster  - http://mail-toaster.org/
  NicTool          - http://www.nictool.com/
`````````````````````````````````````````````````````````````````````````

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About