Auxiliary tool GEOIP "Whitelist" -SPF-Mailrecords

TomTDooley · October 15, 2021, 3:02pm

All entries (SPF) were determined with DIG.

If somebody wants to secure his mail server with GEOIP and needs up-to-date IP addresses of some large mail senders:

GOOGLE:
ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19

MICROSOFT: ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48

AOL:
ip4:204.29.186.0/23

AMAZON1:
ip4:207.171.160.0/19 ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27 ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ip4:178.236.10.128/26 ip4:52.94.124.0/28 ip4:99.78.197.208/28 ip4:52.119.213.144/28

AMAZON 2:
ip4:207.171.160.0/19 ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27 ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ip4:178.236.10.128/26 ip4:52.94.124.0/28 ip4:99.78.197.208/28 ip4:52.119.213.144/28

PAYPAL1:
ip4:208.201.241.163 ip4:67.72.99.26 ip4:206.165.246.80/29 ip4:64.127.115.252 ip4:194.64.234.129 ip4:65.110.161.77 ip4:204.13.11.48/29 ip4:63.80.14.0/23 ip4:208.64.132.0/22 ip4:81.223.46.0/27 ip4:216.136.168.80/28 ip4:129.41.77.70

PAYPAL2:
ip4:208.85.50.137 ip4:157.151.208.65 ip4:208.40.232.70 ip4:12.130.86.238 ip4:198.178.234.57 ip4:67.221.168.65 ip4:216.136.162.120/29 ip4:216.136.162.65 ip4:74.112.67.243 ip4:204.92.114.187 ip4:65.212.180.36 ip4:8.20.114.31

PAYPAL3:
ip4:8.20.114.31 ip4:108.175.18.45 ip4:108.175.30.45 ip4:54.244.242.0/24 ip4:209.67.98.46 ip4:206.25.247.143 ip4:209.46.117.179 ip4:54.241.16.209 ip4:209.67.98.59 ip4:54.214.39.184 ip4:209.46.117.168 ip4:206.25.247.155 ip4:198.61.254.231

PAYPAL4:
ip4:182.50.78.64/28 ip4:204.14.232.64/28 ip4:96.43.148.64/28 ip4:96.43.144.64/28 ip4:96.43.151.64/28 ip4:204.14.232.64/28 ip4:204.14.234.64/28 ip4:208.185.229.45 ip4:66.170.126.97 ip4:216.128.126.97 ip4:216.66.217.240/29 ip4:208.72.249.240/29

PAYPAL5:
ip4:84.16.77.1 ip4:64.95.144.196 ip4:173.224.160.188/32

FACEBOOK:
ip4:66.220.144.128/25 ip4:66.220.155.0/24 ip4:66.220.157.0/25 ip4:69.63.178.128/25 ip4:69.63.181.0/24 ip4:69.63.184.0/25 ip4:69.171.232.0/24 ip4:69.171.244.0/23

TWITTER:
ip4:199.16.156.0/22 ip4:199.59.148.0/22 ip4:8.25.194.0/23 ip4:8.25.196.0/23 ip4:204.92.114.203 ip4:204.92.114.204/31 ip4:54.156.255.69

APPLE:
ip4:17.151.62.66 ip4:17.151.62.67 ip4:17.151.62.68 ip4:17.171.2.60 ip4:17.171.2.68 ip4:17.171.2.72 ip4:17.179.253.33 ip4:17.179.253.34 ip4:17.179.253.38 ip4:17.179.253.39 ip4:17.179.253.43 ip4:17.179.253.44 ip4:17.179.253.48 ip4:17.179.253.49

GMX:
ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:212.227.126.128/25 ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 ip4:217.72.207.0/27 ip4:82.165.229.31 ip4:82.165.230.21

EBAY1:
ip4:205.201.137.229 ip4:66.135.215.0/24 ip4:66.211.184.0/23 ip4:66.135.222.1 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:66.135.202.0/27 ip4:216.113.172.0/25 ip4:216.113.160.0/24 ip4:216.113.175.0/24 ip4:148.105.8.0/21

EBAY2:
ip4:67.72.99.26 ip4:206.165.246.80/29 ip4:64.127.115.252 ip4:194.64.234.128/27 ip4:65.110.161.77 ip4:204.13.11.48/30 ip4:72.3.237.64/28 ip4:63.111.28.137 ip4:208.74.204.0/22 ip4:46.19.168.0/23

EBAY3:
ip4:203.145.57.160/27 ip4:103.28.42.0/24 ip4:146.88.28.0/24 ip4:163.47.180.0/22 ip4:203.55.21.0/24 ip4:204.75.142.0/24 ip4:216.74.162.13 ip4:216.74.162.14

EBAY4:
ip4:66.135.222.1/32 ip4:66.211.188.19/32

Best regards

Tom

jlguerrero · October 15, 2021, 9:26pm

Hello Tom, I have been thinking about your post and the problem with that list is that it will eventually become obsolete.

It would be more helpful to have a script auto update that list.

The recommended method by Google to check if an IP belongs to Google use the host command twice in a row.

I get a query from $ip then I perform
host $ip to get the hostname to see if it belongs to Google and then I perform
host $hostname to see if I get $ip.

That would tell us if we are seeing Googlebot or a spammer / hacker.

The same thing could apply to the server logs.

If we could parse the logs and determine a set of rules that those hostnames follow, we may come up with an auto updating solution.

TomTDooley · October 16, 2021, 1:12am

Hello,

the problem with an automatic list / update is that each of us has our own firewall rules. These can vary from region to region.

As it is in the foreword in this forum: “HestiaCP is not an autopilot for your server. Hestia is a tool to enable various hosting related settings via a web interface.”

An automatic script can cause more damage than manual maintenance. In addition, one would have to work out the differences and special features for each distribution. I also don’t write such a script “on the side”.

For me personally, it’s easier to check it out myself from time to time.

The question must of course be: “How often do the providers change the IP addresses of their mail servers?” This sometimes involves entire networks.

You also have to ask yourself: “Who actually uses geoip?”

In some distributions, you can no longer simply install this or it is no longer included in the package sources.

Best regards

Tom