Mark Weaver wrote:
Bill Church wrote:
If you have the luxury of blocking IPs based on countries or regions, that helps as well but not everyone can do this.
-Bill
That in a nutshell of but one layer of a multi-layer approach that I've been using for the past two years. At present I may get a grand total of 2 SPAMs per week; sometimes less than that, but that's the average.
layer #1: RBLs configured in the MTA - Sendmail layer #2: SpamAssassin (score set to 3 and known or trusted addresses white-listed layer #3: iptables rules and a technique known as geo-blocking.
The third layer, iptables and geo-blocking REALLY make a huge difference. It's taken about a year and some digging, but I've got a very good foundation ruleset that works extremely well. And personally I don't consider blocking on countries or regions is a luxury, but rather a necessity. Anyone can do it and should of they're running a mail server that is accepting direct SMTP connections.
Since my mail server is already behind a router the rule set is very simple, but extremely effective and very portable.
Thought I'd send this along as well. It's a small perl script that will make batch processing spammers IP addresses a little easier and faster. It isn't pretty or much past beta, but it gets the job done.
The script does a whois lookup on the IP address, grabs the IP range and writes a rule which gets put into the "chains" file. Once it's processed all the addresses it writes out the file afresh. At that point just run the chains file from where ever you've placed it. (at the moment is has trouble processing whois information when arin redirects to some of suib-whois server. And you have to watch when it does a whois lookup on a LACNIC address because they display their IP range information much differently than APNIC or RIPE so, some hand editing after the batch processing may need done. YMMV) Like I said... it's still beta.
to use the script simply place the spam IP addresses harvested from the spam email headers into a simple text file, one address per line. (edit the script and replace the current file name storing the IP addresses with what ever you've called your IP address file) Then run the script like so: perl proc_ip_list.pl [ENTER]
You'll see a listing of rules being printed out on the console screen, or a message letting you know that the address or address range already exists in the "chains" file. Once the program completes upload or copy the fresh copy of chains to it's place and run "chains" from the command line. ( I keep mine in the /bin directory )
EX: /bin/chains [ENTER]
It will flush Iptables and set the new rules in place.