Access-list for Mail Server filtering

[bubarooni]

I am the IT person for a small pharmacy chain. We host our own mail server (exchange 5.5).

I currently use TrendMicro's ScanMail to filter spam and am looking at installing SpamAssasain on it as well. A little less than 50% of my spam comes from overseas (mostly China and Korea netblocks but a lot of E. Europe and Russia too) and a little more than 50% is US in origin.

I'd seriously like to just throw away anything that comes from overseas away at the PIX. I found an access-list for blocking China and Korea and it is about 7 pages long by itself, I dread to think what adding E. Europe and Russia would do to it. That's a lot of typing and I wonder the effect of such a long list on my PIX.

Instead of blocking other IP ranges I was thinking of maybe just allowing North American netblocks and dumping everything else at the PIX. We just aren't doing a whole lot of business with Poland or China at this time.

I'm hoping that would be a shorter list but haven't found the North American netblock ranges anywhere. Has anybody else ever tried this? I've read widely divergent opinions on the effectiveness of the technique of blocking netblocks.

Thanks in Advance

 

[bubarooni]

jeez....

the perfect example just now:

Server Used: [ whois.apnic.net ]

61.241.126.7 = [ ]
inetnum: 61.240.0.0 - 61.243.255.255
netname: UNICOM
descr: China United Telecommunications Corporation
descr: No.133 Taiyun Building Xidan North Street
descr: Xicheng District Beijing China
country: CN
admin-c: UCH1-AP
tech-c: UCH1-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CN-CNNIC-UNICOM
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20041203
source: APNIC
role: Unicom China Hostmaster
address: 911 Room Xin Tong Center No.8 Beijing Railway Station
address: East Avenue Beijing PRC.
country: CN
phone: 86-10-6527-8866
fax-no: 86-10-6526-0124
e-mail: ip_address@cnuninet.com
admin-c: RX9-AP
tech-c: RX9-AP
nic-hdl: UCH1-AP
notify: ip_address@cnuninet.com
mnt-by: MAINT-CN-CNNIC-UNICOM
changed: hostmaster@apnic.net 20010820
source: APNIC

i'll bet we don't do business with these prople. i'm guessing spam....

 

[Triplejolt]

You're looking at one really big ACL. And problem is that some "blocks" don't necessarily mean they originate from the same country. Either way, you're going to run into major issues if you decide to "block" spam by blocking IP adresses. Spam doesn't always originate from the "blocked" range and will eventually get relayed by those addresses you do allow.
I would suggest using spampreventing measures instead and tune those services instead. Start by really tighten it and then slowly open up on sources you do trust.

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[NetworkGhost]

Another option might be using a Blacklist feature of a mail guard software. Norton allows you to do this and works quite well. For Large ACLs, If you are wanting to screen would be better placed on a screen router in front of the firewall and no on the firewall. If you dont have one then you will have to do it on the FW. It is not uncommon but be aware that other companies may route their mail to an overseas location and back. Youd be surprised where some major companies route their mail to from the US and back.

 

[psavin]

Agreed, it sounds like a messy solution to me. Blacklisting is most effective when it is based on known SPAM houses, as opposed to regional blacklisting. Aside from the potential to block desirable traffic discussed above, it's worth mentioning that extremely long ACLs have the potential to slow down network access, as the PIX has to compare every incoming packet to the access list.

If a lot of SPAM is getting through your current filtering, you might consider a different product/service. I've had very good luck with Brightmail (about 95% reduction, and no false positives).

 

[bubarooni]

Well, looks like that idea is dead. As I mentioned in my original post, I was a little leary of the approach after reading various discussions on the topic and the length of access-list/performance hit issue.

Thanks for your input.

 

[NetworkGhost]

Lengthy access-lists isnt necessariliy bad. Depends on what you have processing them. What model Pix do you have? also there is a built in feature in the Pix for long ACLs

The Command is
access-list compiled

 

[bubarooni]

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Hardware: PIX-506, 32 MB RAM, CPU Pentium 200 MHz

I'll look into the 'access-list compiled' command.

I currently use TrendMicro SMB and it has a whitelist and blacklist feature but it seems to be manual. I'd love it if it could use the Spamhaus blocklists but can't see how to do it. I have a request into their tech support on it.

Thanks

 

[NetworkGhost]

You shouldnt have a problem with a few hundred or even thousand plus entries. The main thing is memory, configuration file size and of course performance. If you firewall is the only point in then so be it. Remember to supernet the addresses that can be supernetted. When connection tables get high you may see memory drop. So do only what is necessary. If you put the ACLs in monitor the fw after for a few days to determine a difference in utilization. Also you can do a show access-list bleh -- whatever the name of your acl is to determine if the acls are being hit. Definitly shouldnt be an unplanned implementation.

 

[NetworkGhost]

Here is the max Configuration file sizes for the Pix:

PIX Firewall Version Maximum Configuration

PIX 501 256 KB

PIX 506/506E, 515/515E, 520 1 MB

PIX 525, PIX 535 2 MB


506 = 256 KB = approx 15000 lines of configuration. Keep in mind this does not count performance.