GeoIP
Description
The GeoIP plugin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.
Download and install
GeoIP plugin
We need the GeoIP package and the perl interface to the program but this isn't installed on SME Server. We'll have to grab the packages from yum. Yum has access to different public repositories where packages are available. GeoIP is in the extras repository. We'll enable the repository and install them.
yum --enablerepo=extras install perl-Geo-IP
Yum does the magic and knows to install both the program and the interface.
GeoIP database
For the plugin to work we need the GeoIP database. This database is maintained and updated a company called MaxMind. We'll have to download it every month for the Lite version we are using here or pay for their subscription service to be as accurate as possible and download once a week.
The database needs to be in a specific location or it won't work. We'll change to that location.
cd / mkdir /var/lib/GeoIP cd /var/lib/GeoIP
Now we'll get the latest database. The database is also in the repositories but it's outdated. We'll grab the most recent directly from MaxMind.
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
The database is zipped. We'll have to unzip it.
gunzip GeoIP.dat.gz
Creating a cron-job
We can add a cron-job to automate the monthly process of updating the GeoIP database:
mkdir -p /etc/e-smith/templates-custom/etc/crontab
Now we will add a custom template fragment:
vim /etc/e-smith/templates-custom/etc/crontab/91_Update_GeoIP_db
Add the following to this fragment, this will download and extract the new database every month:
# Updating the GeoIP database monthly on the 5th at 0:00h. 0 0 5 * * root /usr/bin/wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz -O /var/lib/GeoIP/GeoIP.dat.gz; /bin/gunzip -f /var/lib/GeoIP/GeoIP.dat.gz
To activate the custom template fragment:
expand-template /etc/crontab
GeoIP qpstmpd plugin
The email receiving component of SME Server is called qpsmtpd. It's great because it allows us to turn plugins on or off or create our own when we need. The GeoIP plugin is already in SME Server but it's turned off. I've created a RPM but it's not in any of the repoitories, it's attached to a bugzilla: 1866 (direct download).
You can download this with your desktop pc and transfer this onto your SME Server with WinSCP.
cd wget http://bugs.contribs.org/attachment.cgi?id=3539 -O smeserver-geoip-1.0.5-1.noarch.rpm
Now you can install the rpm:
yum localinstall smeserver-geoip-1.0.5-1.noarch.rpm
Testing
Now that the package and database are installed, we can test it (refer to Country Code list at end of page as required).
geoiplookup 216.17.211.37
It should return:
GeoIP Country Edition: US, United States
It gives us the country code (US) and the long name (United States). Let's test it again with a domain name.
geoiplookup contribs.org
Same result. So we know it works with ip addresses or domain names. Let's test it again around the world.
geoiplookup gormand.com.au
It should return:
GeoIP Country Edition: AU, Australia
Now again.
geoiplookup e-smith.com
It should return:
GeoIP Country Edition: CA, Canada
One last time:
geoiplookup swerts-knudsen.dk
It should return:
GeoIP Country Edition: DK, Denmark
Usage
Tracking e-mail
GEOIP plugin should now do its work. Check the qpsmtpd logs and you'll see the countries from where mail is sent.
cat /var/log/qpsmtpd/current
We'll use a simple shell script to do the work then we'll run it.
First, create the the script.
vi geoipstats.sh
Insert the following: Code:
#!/bin/sh # Read the qpsmtpd log file. # Read all of the countries and count them. cat /var/log/qpsmtpd/* | \ grep 'GeoIP Country:' | \ sed -e 's/^.*\(..\)$/\1/' | \ sort | uniq -c | sort -n
Now run the script. It will show the number of messages sent by country code.
sh geoipstats.sh
See where your mail is coming from. Now ask the question, "why am I receiving thousands of email from RU -Russia? I don't even know anyone there." Good point. In addition, your server has to process all that mail, taking resources away from the server. In the next section we'll block the countries that we consider bad.
Blocking email
Add the values to the SME CADNHO db. In our case, Russia and Poland seem to causing issues. You can type in any country codes you wish.
config setprop qpsmtpd BadCountries RU,PL
Signal the email-update event.
signal-event email-update
No more mail from domains ending on .ru or .pl. The beauty of this is that the SME Server lookups happen locally on the local database rather than looking up the IP address via dns. This results in very fast responses. In addition, the plugin happens before most other plugins. This means the mail is dropped before the SME Server even has to check to see if it's on a blacklist or if it's spam.
Abbreviated Country Code List
AC Ascension Island AD Andorra AE United Arab Emirates AERO members of the air-transport industry AF Afghanistan AG Antigua and Barbuda AI Anguilla AL Albania AM Armenia AN Netherlands Antilles (being phased out) AO Angola AQ Antarctica AR Argentina AS American Samoa ASIA Restricted to the Pan-Asia and Asia Pacific community AT Austria AU Australia AW Aruba AX Aland Islands AZ Azerbaijan BA Bosnia and Herzegovina BB Barbados BD Bangladesh BE Belgium BF Burkina Faso BG Bulgaria BH Bahrain BI Burundi BIZ Restricted for Business BJ Benin BL Saint Barthelemy BM Bermuda BN Brunei Darussalam BO Bolivia BQ Bonaire, Sint Eustatius and Saba BR Brazil BS Bahamas BT Bhutan BV Bouvet Island BW Botswana BY Belarus BZ Belize CA Canada CC Cocos (Keeling) Islands CD Congo, The Democratic Republic of the CF Central African Republic CG Congo CH Switzerland CI Cote d'Ivoire CK Cook Islands CL Chile CM Cameroon CN China CO Colombia COM Generic top-level domain COOP cooperative associations CR Costa Rica CU Cuba CV Cape Verde CW Curaçao CX Christmas Island CY Cyprus CZ Czech Republic DE Germany DJ Djibouti DK Denmark DM Dominica DO Dominican Republic DZ Algeria EC Ecuador EDU Educational Institutions EE Estonia EG Egypt EH Western Sahara ER Eritrea ES Spain ET Ethiopia EU European Union FI Finland FJ Fiji FK Falkland Islands (Malvinas) FM Micronesia, Federated States of FO Faroe Islands FR France GA Gabon GB United Kingdom GD Grenada GE Georgia GF French Guiana GG Guernsey GH Ghana GI Gibraltar GL Greenland GM Gambia GN Guinea GOV United States Government GP Guadeloupe GQ Equatorial Guinea GR Greece GS South Georgia and the South Sandwich Islands GT Guatemala GU Guam GW Guinea-Bissau GY Guyana HK Hong Kong HM Heard Island and McDonald Islands HN Honduras HR Croatia HT Haiti HU Hungary ID Indonesia IE Ireland IL Israel IM Isle of Man IN India INFO Generic top-level domain IO British Indian Ocean Territory IQ Iraq IR Iran, Islamic Republic of IS Iceland IT Italy JE Jersey JM Jamaica JO Jordan JOBS Reserved to serve needs of the international human resource management community JP Japan KE Kenya KG Kyrgyzstan KH Cambodia KI Kiribati KM Comoros KN Saint Kitts and Nevis KP Korea, Democratic People's Republic of KR Korea, Republic of KW Kuwait KY Cayman Islands KZ Kazakhstan LA Lao People's Democratic Republic LB Lebanon LC Saint Lucia LI Liechtenstein LK Sri Lanka LR Liberia LS Lesotho LT Lithuania LU Luxembourg LV Latvia LY Libyan Arab Jamahiriya MA Morocco MC Monaco MD Moldova, Republic of ME Montenegro MF Saint Martin (French part) MG Madagascar MH Marshall Islands MIL United States Military MK Macedonia, The Former Yugoslav Republic of ML Mali MM Myanmar MN Mongolia MO Macao MOBI consumers and providers of mobile products and services MP Northern Mariana Islands MQ Martinique MR Mauritania MS Montserrat MT Malta MU Mauritius MUSEUM museums MV Maldives MW Malawi MX Mexico MY Malaysia MZ Mozambique NA Namibia NAME individuals NC New Caledonia NE Niger NET Generic top-level domain NF Norfolk Island NG Nigeria NI Nicaragua NL Netherlands NO Norway NP Nepal NR Nauru NU Niue NZ New Zealand OM Oman ORG Generic top-level domain PA Panama PE Peru PF French Polynesia PG Papua New Guinea PH Philippines PK Pakistan PL Poland PM Saint Pierre and Miquelon PN Pitcairn PR Puerto Rico PRO Restricted to credentialed professionals and related entities PS Palestinian Territory, Occupied PT Portugal PW Palau PY Paraguay QA Qatar RE Reunion RO Romania RS Serbia RU Russian Federation RW Rwanda SA Saudi Arabia SB Solomon Islands SC Seychelles SD Sudan SE Sweden SG Singapore SH Saint Helena SI Slovenia SJ Svalbard and Jan Mayen SK Slovakia SL Sierra Leone SM San Marino SN Senegal SO Somalia SR Suriname SS South Sudan ST Sao Tome and Principe SU Soviet Union (being phased out) SV El Salvador SX Saint Maarten (Dutch part) SY Syrian Arab Republic SZ Swaziland TC Turks and Caicos Islands TD Chad TEL businesses and individuals to publish their contact data TF French Southern Territories TG Togo TH Thailand TJ Tajikistan TK Tokelau TL Timor-Leste TM Turkmenistan TN Tunisia TO Tonga TP Portuguese Timor (being phased out) TR Turkey TRAVEL entities whose primary area of activity is in the travel industry TT Trinidad and Tobago TV Tuvalu TW Taiwan, Province of China TZ Tanzania, United Republic of UA Ukraine UG Uganda UK United Kingdom UM United States Minor Outlying Islands US United States UY Uruguay UZ Uzbekistan VA Holy See (Vatican City State) VC Saint Vincent and the Grenadines VE Venezuela, Bolivarian Republic of VG Virgin Islands, British VI Virgin Islands, US VN Viet Nam VU Vanuatu WF Wallis and Futuna WS Samoa XXX the adult entertainment community YE Yemen YT Mayotte ZA South Africa ZM Zambia ZW Zimbabwe
Country Code Info Source:
http://en.wikipedia.org/wiki/ISO_3166-1 http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
Troubleshooting
At April 2012 there may be some problems with countries not being blocked, possibly related to the way the geo database is updated for free users. User experience and opinion vary, and following a complaint, the original forum post about this has been deleted - http://forums.contribs.org/index.php/topic,48560.0.html
Users are advised to determine the effectiveness of the database for themselves.