Old Hand's Space -- Blacklists for Mailservers

Blacklists for Mailservers

IP-based blacklists

On this site, you will find two blacklists for mailservers that might help you reduce contacts from bad servers. Both of these blacklists are updated every 24 hours.

• List of particularly badly behaving IPs of SMTP Clients.
• List of particularly suspicious networks for having potentially bad SMTP Clients.

Example

An example where these lists might come in handy is slowing down the number of connections from suspicious IP addresses. You could do that in your iptables handling of SMTP connections. I will only include IPv4 here; the example for IPv6 is similar.

Feel free to download these. As previously explained please check this information before using it in a way that may be harmful for you.

Example

An example where these lists might come in handy is slowing down the number of connections from suspicous IP Addresses. You could do that in your iptables handling of SMTP connections. I will only include IPv4 here the example for IPv6 is similar.

The idea of this example is:

• You have an ipset, `suspicioussmtp`, filled with the information from either list or both.
• You have a chain in iptables that handles your SMTP connections, called `smtphandling`.

The example will reduce the number of connections to one per minute if the source IP is in this set. If an IP is allowed through, it will not be allowed for another 30 minutes. Connection packets outside this quota will be dropped, i.e., will result in a timeout for the client. These values are suitable for a very small MX server. You might want to adjust that for systems with more traffic.

# create another ipset for remembering IPs that connected in the last 30 
# minutes; entries will be removed automatically after 30 minutes.
ipset create suscontactlast hash:ip family inet hashsize 16381 maxelem 65536 timeout 1800

# create a new chain for handling suspect contacts
iptables -N handlesussmtp
# create a new chain for limiting suspect contacts
iptables -N limitsussmtp

# jump to that chain if a new smtp contact matches
iptables -I 1 smtphandling -m set --match-set suspicoussmtp src -j handlesussmtp

# if suspicous IP has made a successful contact in the last 30 minutes,
# then drop the packet
iptables -A handlesussmtp -m set --match-set suscontactlast src -j DROP
# unconditionally jump to limiting
iptables -A handlesussmtp -j limitsussmtp
# if we arrive here, the number of connetions is within the limit
# add the source IP to the set suscontactlast 
iptables -A handlesussmtp -j SET --add-set suscontactlast src
# here we implicitly return to "smtphandling" which can then decide what to
# do

# limiting: if inside limit of 1 per minute then just return
iptables -A limitsussmtp -m limit --limit 1/minute -j RETURN
# otherwise: just drop the packet
iptables -A limitsussmtp -j DROP

As with all other information: Please critically check before using.

Other Links

You might also be interested in these pages:

• Blacklists have Bias
• Zero Trust
• How to provide feedback

Copyright © 2025 me@oldhand.zapzarapp.com