[enhancement]: Block IP addresses listed on iblocklist and similar

[mdecimus]

Which feature or improvement would you like to request?

Block IP addresses listed on iblocklist and similar

Is your feature request related to a problem?

I'm having a problem with...

Code of Conduct

• I agree to follow this project's Code of Conduct

[williamdes]

For example integrating with CrowdSec firewall bouncer
https://blog.williamdes.eu/Infrastructure/tutorials/install-crowdsec-and-bouncer-on-pfsense/

The URL provides a list of new line terminated IPs.
Thousands

[nomadturk]

For example integrating with CrowdSec firewall bouncer https://blog.williamdes.eu/Infrastructure/tutorials/install-crowdsec-and-bouncer-on-pfsense/

The URL provides a list of new line terminated IPs. Thousands

Though... Same IP can host both good actors and bad actors.

pfBlockerNG is a good example on pfSense though. It gives you the ability to block IP addresses based on dynamically changing IP lists as well as giving you the ability to block things on DNS level. So that even if you can't block the IP, you can block the domain to punish some of the emails.

I was blackholing a huge chunk of IP addresses on some of my servers, primarily known crypto/virus/tor/brute force scanner's etc.

Some blacklists give you IP addresses, some of them provide you with IP ranges, some are mixed.
It would be nice if Stalwart can do parsing and updating such lists.

Like, some examples from my script, not sure if they all still work at the moment though.

curl -ksSfL "https://api.blocklist.de/getlast.php?time=36000"
curl -ksSfL "https://cinsscore.com/list/ci-badguys.txt"
curl -ksSfL "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt"
curl -ksSfL "https://www.dan.me.uk/torlist/?exit"
curl -ksSfL "https://check.torproject.org/torbulkexitlist?ip=1.1.1.1"
curl -ksSfL "https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
curl -ksSfL "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
curl -ksSfL "http://blocklist.greensnow.co/greensnow.txt"
curl -ksSfL "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
curl  -ksSfL "https://rules.emergingthreats.net/blockrules/emerging-tor.rules" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
curl  -ksSfL "https://rules.emergingthreats.net/blockrules/3coresec.rules" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'

[mdecimus]

Migrated to #947

[mdecimus]

@nomadturk I'll add to the default rules those lists from your script, if you have others please let me know.

Regarding I-Blocklist, are you fetching their lists programmatically? I tried accessing a few ones (for example http://list.iblocklist.com/?list=npkuuhuxcsllnhoamkvm&fileformat=p2p&archiveformat=gz) and I was asked to solve a captcha before being able to download it. Probably the paid version does not have captcha but I was looking for some free lists to add to the default rules.

[nomadturk]

@mdecimus

This is the way I was downloading them in one of my hosts. (I'm not saying they are great. But it helped on that server)

#curl -ksSfL "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshield_all_attack.ipset" > $temphosts1
#curl -ksSfL "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshield_all_bruteforce.ipset" > $temphosts1
#curl -ksSfL "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshield_all_ddosbot.ipset" > $temphosts1
#curl -ksSfL "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshield_all_dnsscan.ipset" > $temphosts1
#curl -ksSfL "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshield_all_wannacry.ipset" > $temphosts1
#curl -ksSfL "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshield_high_spam.ipset" > $temphosts1

curl -ksSfL "https://lists.blocklist.de/lists/strongips.txt" > $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/mail.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/imap.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/pop3.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/postfix.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/courierimap.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/courierpop3.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/bruteforcelogin.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/25.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/143.txt" >> $temphosts1
curl -ksSfL "https://lists.blocklist.de/lists/993.txt" >> $temphosts1
curl -ksSfL "https://api.blocklist.de/getlast.php?time=36000" >> $temphosts1
#
curl -ksSfL "https://cinsscore.com/list/ci-badguys.txt" >> $temphosts1
curl -ksSfL "https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt" >> $temphosts1
curl -ksSfL "https://www.dan.me.uk/torlist/?exit" >> $temphosts1
curl -ksSfL "https://check.torproject.org/torbulkexitlist?ip=1.1.1.1" >> $temphosts1
curl -ksSfL "https://rules.emergingthreats.net/blockrules/compromised-ips.txt" >> $temphosts1
curl -ksSfL "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" >> $temphosts1
curl -ksSfL "http://blocklist.greensnow.co/greensnow.txt" >> $temphosts1
curl -ksSfL "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> $temphosts1
curl  -ksSfL "https://rules.emergingthreats.net/blockrules/emerging-tor.rules" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' >> $temphosts1
curl  -ksSfL "https://rules.emergingthreats.net/blockrules/3coresec.rules" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' >> $temphosts1
#| grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{2\} >> $temphosts1

Then after that some sanitizing, deduplicating and so on.
And I was adding them blackhole table as the last step.

Everything here should be curl-able without a payment wall or CF captcha.
Just tried a few and it's without problems.

But if you want to use a custom formatting, that might be why. Their API probably is behind CF.

For iblocklist, they provide you with a list of IPs.
for some others, you need to extract this from within ranges and so on.

But, as long as you add the ability to add this as an auto updated blacklists to mail admins, we should be good.
(they need to be auto-removed when they disappear from these lists too)

[mdecimus]

Thanks @nomadturk - I'll add a few as an example to the default rules. I was also thinking about combining all these lists to make them available in the spam-filter repository as a single download, but I'll have to contact each one of those sites and ask for permission to redistribute their lists.