[Rspamd-Users] Incorrect country code for IP (maybe a bug?)

Fri Mar 6 17:32:36 UTC 2020

How can we disable "IP Bad country"? 

These IP=country ASN always harm our incoming ham.

From my whois lookup:
IP Location	 Argentina Buenos Aires H4hosting Bv 
ASN	 AS51050 H4HOSTING-AS, NL (registered May 25, 2010)
Resolve Host	nit49.embluenitro.com
Whois Server	whois.ripe.net 
IP Address	185.98.146.51

 Thanks.

On 6 Mar 2020, at 6:10 pm, Daniel Lysfjord via Users <users at lists.rspamd.com> wrote:

This is not a bug in rspamd. This IP is registered as belonging to ASN 51050 with country code NL in the MaxMind GeoIP databases. I guess rspamd uses that database? My quick glance through the documentation does not reveal where they get the ASN/Country information from.

> "Emanuel Gonzalez" <emanuel_gonzalez at live.com.ar> skrev 6. mars 2020 kl. 13:06:
> 
> Hello,
> 
> In my server i use this map:
> 
> COUNTRY_SPAMMER {
> type = "country";
> <------>map = "redis://countryspam";
> description = "IP Bad country";
> }
> 
> 2020-03-06 08:19:31 #3719(normal) <a9be14>; task; rspamd_task_write_log: id:
> <3Bl-de711d347e-A at embluemail.com>, qid: <1jAB0r-0007R8-95>, ip: 185.98.146.51
> , from: <emblue3prd_bm at emark13.embluejet.com>, (default: F (no action): [14.07/30.00]
> [FUZZY_DENIED(10.51){1:35d9fef3e7:1.00:txt;},SENDER_WHITELIST_HEADER
> _FROM(-5.00){dfe at comunicaciones.arba.gov.ar;},COUNTRY_SPAMMER(4.00){NL;},BAYES_SPAM(3.62){95.82%;},R
> MIXED_CHARSET(0.54){},FORGED_SENDER(0.30){dfe at comunic
> aciones.arba.gov.ar;emblue3prd_bm at emark13.embluejet.com;},BAD_REP_POLICIES(0.10){},MIME_GOOD(-0.10){
> ultipart/alternative;text/plain;},ONCE_RECEIVED(0.10)
> {},HAS_LIST_UNSUB(-0.01){},ARC_NA(0.00){},ASN(0.00){asn:51050, ipnet:185.98.144.0/22,
> country:NL;},DKIM_TRACE(0.00){comunicaciones.arba.gov.ar:+;embluenit
> ro.com:+;},DMARC_POLICY_ALLOW(0.00){comunicaciones.arba.gov.ar;none;},FROM_HAS_DN(0.00){},FROM_NEQ_E
> VFROM(0.00){dfe at comunicaciones.arba.gov.ar;emblue3prd
> _bm at emark13.embluejet.com;},HAS_REPLYTO(0.00){dfe at comunicaciones.arba.gov.ar;},MIME_TRACE(0.00){0:+;
> :+;2:~;},MX_GOOD(0.00){cached: emark13.embluejet.com;
> },RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ONE(0.00){1;},RCVD_TLS_ALL(0.00){},REPLYTO_ADDR_EQ_FROM(0.00){
> ,RM_HEADER_00(0.00){},RM_HEADER_03(0.00){},R_DKIM_ALL
> OW(0.00){comunicaciones.arba.gov.ar:s=epexo;embluenitro.com:s=epexo;},R_SPF_ALLOW(0.00){+ip4:185.98.
> 46.1/24:c;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0
> .00){}]), len: 9391, time: 1287.564ms, dns req: 35, digest: <670eac3bab9efdc1644bff59177f5f76>,
> rcpts: <gabriela at conserviajes.com.ar>, mime_rcpts: <gabrie
> la at conserviajes.com.ar>
> 
> I see that there is an error in the country code of an IP address: 185.98.146.51
> 
> inetnum: 185.98.146.0 - 185.98.146.255
> netname: COLO-EMBLUE-DCG-3024
> org: ORG-NNN1-RIPE
> descr: emBlue
> country: AR
> admin-c: EEMP1-RIPE
> tech-c: EEMP1-RIPE
> status: ASSIGNED PA
> mnt-by: MNT-H4HOSTING
> created: 2018-10-01T10:35:12Z
> last-modified: 2018-10-01T10:36:30Z
> source: RIPE
> 
> The correct country code is AR, but Rspamd does not recognize that ip is from Argentina.
> 
> Maybe a bug?
> 
> Regards,