search

stalwartlabs / mail-server

Secure & Modern All-in-One Mail Server (IMAP, JMAP, POP3, SMTP)
https://stalw.art
4.84k stars 196 forks source link

[enhancement]: Block IP by ASN #825

Open WintersMichael opened 3 days ago

WintersMichael commented 3 days ago

Which feature or improvement would you like to request?

Almost all of my spam / portscans / etc come from AS4134. Banning by ASN would relieve me from maintaining the long list of subnets. This could leverage services like https://asnlookup.com/apidocs/ and require Stalwart admins to provide their own API key.

Is your feature request related to a problem?

No response

Code of Conduct

nomadturk commented 3 days ago

This would end up being reaaaaaaly expensive for anyone with a medium load of emails. Both in terms of $$$, processing power and latency as they would run with each incoming email.

IF this were to be a thing, Maxmind GeoIP is a cheaper solution.

Or if you really want to get the subnets of AS4134 the easy way to do it would be periodically running bgpq3. And try blocking each of the result with "ip route add blackhole subnet/24" manner.

...

They have a LOT of subnets

image

But blocking a whole ASN... That's extreme

williamdes commented 2 days ago

But blocking a whole ASN... That's extreme

Honestly, China net is most of the attacks on my systems. If could ban them entirely or add a SPAM score weight for their ASN it would be great.

jkaberg commented 2 days ago

Why not just keep it simple and introduce an blocklist feature which is an more common practice, imo these suggestions seems very proprietary

The blocklists can then be feeded by these actors and potentially others

nomadturk commented 2 days ago

They are.

There is a blocklist already though. It's just that there is no way to auto-update that using external lists or batch add/removal functionality.

If Stalwart allowed using remote sources as an auto-updated list, that would have worked. Everyone could generate their own blocklists to their needs and just feed it to Stalwart.

OR add a different spam score to those that exist in those lists.

WintersMichael commented 1 day ago

Perhaps the simplest solution would be to allow uploading a file containing all of the blocked IPs / ranges. Uploading this file would replace all of the current blocks with whatever is in the list. Creating that file and updating Stalwart with it would then be the admin's responsibility.