Comment by JumpCrisscross
1 month ago
> Russian IP addresses are still trying to send email in the name of my domain for some stupid reason
For what it's worth, I've started seeing cybersecurity insurers requiring riders and extra payments if you don't block Russian IPs.
But there are big problems with mapping from IPs to countries. My IPv6 is detected as Russian, though it is London-located tunnel exit point and I'm in the Netherlands.
If your HE tunnelbroker account's country is set to Russia, you'll show up as from Russia for Google since HE publishes a geofeed of ip range -> user account country for them.[1] You should be able to change it on the settings page.[2]
If that's not it, you an see which database maps your IPv6 range to Russia and contact them to ask them to change it.[3]
Of course, if you have accounts with a Russian addresses, then things will revert.
[1] https://tunnelbroker.net/export/google
[2] https://tunnelbroker.net/account.php
[3] https://www.iplocation.net/ip-lookup
If it is a tunnel, then it might have been used by someone else before.
Those "London oblast" jokes don't come from nowhere.
Sounds like an issue with an outdated locally hosted IP2 Location database.
Google thinks it is in Russia too. And Cloudflare thinks the same.
4 replies →
Sounds more like IP isn't a reliable factor to determine location. Not that this would be bad though.
Ive got a server hosting a number of things, amd monitoring setup for a lot of stats. Got tired of seeing blips because various countries were beating on my server, not a DoS, but enough requests to notice, and sometimes generate an alert. I blocked 7 countries, in full, and the impact was fantastic. No more 2gb of logs generated every day by countries that have no business accessing my server.
Unless you own a global business, i see no reason to even allow other countries access. The potential for attacks is too great, especially from some very specific countries.
I'm the CTO of a US-based insurance company. Apart from some reinsurers in London and Bermuda, and a couple contractors in Canada, we don't do business outside the US. We've blocked all countries except those, and it has cut down massively on the folks attacking us.
Lots of companies do this on their websites now using cloud flare or something similar. It’s practical. Still it’s frustrating as a user when you’re traveling over in Europe and can’t access your accounts to pay bills or whatnot.
3 replies →
Have you considered the additional cost of making it harder for your customers to do business with you, as well as the limited visibility that you set up for attacks that may become multi-stage in nature later?
You never see or collect the information by blocking everything at the outset.
In a world where you can proxy past these blocks fairly trivially, that's information you don't have for attribution later.
Defense in depth, or layered defenses are a best approach, but not if they blind you equally.
1 reply →
Kinda similar, but when I looked at the finances, I was surprised by how much money we're getting from places like the Cayman Islands, Switzerland, and the Emirates.
> I blocked 7 countries
Russia, China, Nigeria, Romania, North Korea, Iran and Belarus [1]?
[1] https://www.ox.ac.uk/news/2024-04-10-world-first-cybercrime-...
How/why did you pick these 7?
Using your link: Ukraine, USA, UK, Brazil, & India all rank higher than Iran and Belarus. US & Ukraine rank higher than Nigeria and Romania.
5 replies →
Romania!? I did a double-take, as it is a member of the European Union. I would think if their cyber-reputation was so terrible, there would be pressure from inside the EU to fix it.
1 reply →
Pretty close tbh. Sub romania for brazil, and nigeria, for... i dont remember right now
A nice GH project for this: https://github.com/friendly-bits/geoip-shell?tab=readme-ov-f...
just close the tcp sockets and you wont even notice them trying to connect and failing
do you also log everyone who looks at your house? it's a self inflicted problem
At least in the case of VPS my experience has been 99% failed ssh attempts. I just use nftables to rate limit those to 2 failed attempts per minute. Log size is quite modest and can easily filter out failed attempts when viewing.
Ok but you can’t block someone else using their own IPs to send email.
If you set DMARC to report, you’ll get notices from remote email systems when they receive noncompliant emails with your domain in the Envelope From field. Those reports are where you’ll see Russian IP addresses show up when they are trying to spoof your emails.
But there is no way to block them because neither the senders nor receivers are on your infrastructure. The best you can do is set a reject DMARC policy and hope everyone follows it.