On 16/07/10 20:07, Igor Chudov wrote:
I receive a large number of spams from network IPs belonging to
SharkTech, 70.39.69.99 or so and so on.
They advertise romantic encounters with people born prior to 50 years
ago, small increment auxions, ability to borrow money using house as
collateral, and other scams. Examples are here:
http://igor.chudov.com/tmp/spam011.txt
I am being hit pretty badly and feel annoyed.
How can I write a rule to blacklist a whole IP subnet.
Any ideas?
If anyone knows what I am doing wrong so that these spams do not
score, please let me know. I am using Ubuntu Lucid, which is pretty
recent.
To score in SpamAssassin, you could try something like:
header RCVD_FROM_70_39_69 Received =~ /\[70\.39\.69\.\d{1,3}/
score RCVD_FROM_70_39_69 1.0
describe RCVD_FROM_70_39_69 Received from 70.39.69.0/24
Obviously this is easier for /16, /24 subnets etc.
However, I would not bother scoring these hits in SA, but would rather
block at the MTA level. Assuming you are running Postfix (as you're
using Ubuntu), you can create a cidr format table to blacklist/whitelist
IP addresses in cidr notation at the smtp level. For example, add to
your smtpd_recipient_restrictions:
check_client_access
cidr:/etc/postfix/client.cidr
and create an /etc/postfix/client.cidr file like so:
# /etc/postfix/client.cidr
#
# See http://www.postfix.org/cidr_table.5.html
# *** No need to postmap this table ***
#
# Black/Whitelist for client IP addresses
#
70.39.69.99 REJECT
70.39.69.0/24 REJECT
and issue 'postfix reload' to pick up the changes.
Hope that helps.
