I just switched over from McAfee Spamkiller to Comodo AntiSpam (CAS) this week.
After dealing with some config issues, I seem to finally have CAS behaving and doing an effective job of trapping spam, but now I have a couple of questions.
- I live in the US. All my regular email correspondents are in the US and Canada - North American registry (ARIN). When I was using McAfee Spamkiller, well over 90% of my spam originated from top level IP blocks assigned by top level registries “other” than ARIN, namely RIPE, LANIC, APNIC, etc. With some searching of all the top level IP block registries, I was able to develop a list of which top level blocks (of all 256 possible blocks) are assigned by registries “other” than ARIN.
An example of this list of IP ranges is as follows:
IP Range
Begin End Description
1.0.0.0 1.255.255.255 IANA RESERVED-9
39.0.0.0 39.255.255.255 IANA
58.0.0.0 61.255.255.255 Asian Pacific Network Information Ctr [APNIC]
62.0.0.0 62.255.255.255 RIPE, Amsterdam
73.0.0.0 79.255.255.255 IANA
80.0.0.0 89.255.255.255 RIPE, Amsterdam
90.0.0.0 123.255.255.255 IANA
193.0.0.0 195.255.255.255 RIPE, Amsterdam
200.0.0.0 201.255.255.255 Latin American and Caribbean IP [LACNIC]
202.0.0.0 203.255.255.255 Asian Pacific Network Information Ctr [APNIC]
210.0.0.0 211.255.255.255 Asian Pacific Network Information Ctr [APNIC]
212.0.0.0 213.255.255.255 RIPE, Amsterdam
214.0.0.0 214.255.255.255 DoD Network
217.0.0.0 217.255.255.255 RIPE, Amsterdam
218.0.0.0 222.255.255.255 Asian Pacific Network Information Ctr [APNIC]
What I then did with McAfee Spamkiller (which was quite effective - far more effective than than the standard rules provided by McAfee) was to trap any message containing the text “[200.” or “(200.” in the message header Received From. This rule, then would trap any message than originated (or was forwarded by) an IP in the range 200.0.0.0 - 200.255.255.255, i.e., an IP assigned by LANIC. Since I do not expect to be receiving any email from Latin America, this became a very efficient method to block most of the spam that was arriving.
I would like to be able to set up some similar means in CAS to block out large ranges of IP origination (or forwarding) space. Another approach to this (though it might be less foolproof, might be to block domains that “end” with specific Country Codes. Again for example, I receive a lot of spam from addresses that end in .de.
One method might be to use “wildcards” (or something to that effect) in email address blocking. Again for example, I would like to block the address space: @.de, where “*” would mean “any text”.
- I would like to (but see no means in CAS to) vary the Blocked Message Action by email address blocked. For example, I have selected “retailers” who, once I have purchased from them, bombard me with spam and even after repeated requests from me to stop sending me spam, continue to do so. In these instances, I “know” email from that address is spam and am completely comfortable Deleting such messages without ever Quarantining them and even having to observe them at all. On the other hand, I am very leary about letting CAS automatically Delete most other messages that might satisfy some CAS spam rule, in the outside chance that the message trapped is actually a desired message I wish to receive, but which CAS accidentally trapped (and Quarantined).
In other words, I would like to have the Quarantine Database review work that I have to perform be as little as possible - without risking the loss of truely desired messages that become inadvertently trapped. Right now CAS appears to offer me a simple choice of Quarantine/Delete “all” messages trapped. I would like to increase the granularity of that chice of action down to the email address, domain, and also IP range level.
Any thoughts/suggestions?
BlueSkye