[Mimedefang] Netblock 222

Jan Pieter Cornet johnpc at xs4all.nl
Mon Oct 10 16:10:40 EDT 2005

On Mon, Oct 10, 2005 at 11:52:54AM -0500, Damrose, Mark wrote:
> I've been getting a bunch of spam from zombied hosts in the 222.x.x.x range.
> Much of it get blocked by spamhaus and other lists, but there's been enough
> left that it's noticeable.  Whois says that this netblock is assigned to
> "Air Force Logistics Command".  The senders of the spam vary, but none of
> them are domains that have spf.

The 222/8 "netblock" is assigned to APNIC, the Asian Pacific region,
where it is distributed further to individual ISPs or customers. You can
verify this from: http://www.iana.org/assignments/ipv4-address-space

whois.apnic.net contains further information on the distributing, eg, - is allocated to a "KDDI Corporation" in Tokia,
Japan. The next block, is allocated to a university in
china. I couldn't find any af.mil networks, offhand.

So if you block this entire network, you're blocking a pretty large
amount of addresses in the asian pacific region... but likely only
the most recently allocated ones. If you want to be complete, go over
the ipv4-address-space I mentioned above and lookup all netblocks
belonging to APNIC.

However, it does seem excessive to me... simply blocking about a
third of the world (remember australia is also in that area).
You might be better off using a country-specific blocking list
such as cn.rbl.cluecentral.net, kr.rbl.cluecentral.net etc, and
leaving your "postmaster" and/or "abuse" address explicitly open
in case someone does need to contact you from those areas.

> Does anybody see any downside to doing something like:
> sub filter_sender($$$$) {
>     my ($sender, $ip, $hostname, $helo) = @_;
>     if ( ($ip =~ /^222\./) && ($sender !~ /af\.mil\>?/i) ) {
>         return ('REJECT', 'Not USAF address');
>     }
>     return ('CONTINUE', 'OK');
> }

You mean apart from the fact that it's very easy to spoof, too generic
of a blocking method, that the af.mil exception likely has nothing to do
with the 222/8 netblock, and that the exception isn't strict enough (it
would match mail from <decaf.milk.sugar at example.com>)? 

#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet

More information about the MIMEDefang mailing list