Blacklist IP Address in Spam Assassin?

[urantian]

I know how to block domain names in Spam Assassin. However, there is one organization using a block of IP addresses and MANY domains to send spam, which is getting through.

Is it possible to blacklist specific IP addresses?

---Michael

[Spiral]

Yes, you can block the IP address in Spamassassin's configuration and use a blacklist_from to filter out mail from those IP address(es).

HOWEVER ...

You would be better off also blocking the IP address(es) from your firewall or as an IPTABLES filter.

A couple of examples:

Code:

# iptables -A INPUT -s x.x.x.x -p tcp --dport 25 -j DROP
# iptables -A INPUT -s x.x.x.x -j REJECT

You can also have the IP's dropped directly from Exim or setup an
RBL / Blocklist to filter out the IP addresses.

You can drop the IP(s) in the /etc/hosts.deny

Point is that there is dozens of different ways to drop the mail and connections if you know the source IP address.

[urantian]

Thank you very much for the list of options.

---Michael

[urantian]

I want to use the hosts.deny file to block IP address from sending email to my server. This is the format I am using:

ALL : 69.174.245.

My intention is to block all IP addresses used by this marketer, such as 69.174.245.95 through 69.174.245.110.

However, it does not appear to be working, as messages are still coming through. Am I using the wrong format, or the wrong file, to block email?

Thank you!

---Michael

[Spiral]

I want to use the hosts.deny file to block IP address from sending email to my server. This is the format I am using:

ALL : 69.174.245.

My intention is to block all IP addresses used by this marketer, such as 69.174.245.95 through 69.174.245.110.

However, it does not appear to be working, as messages are still coming through. Am I using the wrong format, or the wrong file, to block email?

Thank you!

---Michael

If you are wanting to block a range of IP addresses, hosts.deny is really the wrong choice!

I would block a CIDR range with IPTABLES for that ...

Code:

iptables -A INPUT -s 69.174.245.95/32 -p tcp --dport 25:26 -j DROP
iptables -A INPUT -s 69.174.245.96/29 -p tcp --dport 25:26 -j DROP 
iptables -A INPUT -s 69.174.245.104/30 -p tcp --dport 25:26 -j DROP
iptables -A INPUT -s 69.174.245.108/31 -p tcp --dport 25:26 -j DROP
iptables -A INPUT -s 69.174.245.110/32 -p tcp --dport 25:26 -j DROP

The IP range you gave is part of a larger registered block at Server Beach
which could be simplified to the following if you want to block the whole block:

Code:

iptables -A INPUT -s 69.174.240.0/20 -p tcp --dport 25:26 -j DROP

The above commands will block ONLY incoming mail will not interfere
with any other traffic to or from those addresses.

If you have CSF or APF, a similiar filter could be configured from those firewalls
which are basically just a front end for iptables as well.

Now for me, I have setup a DNS (RBL) Blocklist database and have Exim configured
to check IP's against my own RBL database which gives me total control to adding
my own custom block ranges and is very easy to manage that works along side
SpamCop and other blocklists out there. You might want to look at something similiar.

[urantian]

Thank you, Spiral. That is VERY helpful.

---Michael

[usm2000]

Hello,
I just want to clarify something
If I block ip address using iptables, that will block also any email coming from this ip address
Thanks