I rent webspace including a mailserver, and I am getting walloped by spam daily. When it got to a hundred a day, I decided to take some drastic action.
The nature of my site is such that I don't expect legitimate emails from non-English speaking countries. Following a 3-month analysis of my spam, I found about 50% of it originated in Asia, South America, and the Former Soviet Union, including Poland and the Czech Republic.
I then started to consruct IPTABLES rules which blocked not only SMTP connections, but any type of connection from large IP blocks in these countries. The decision to block all access was intended to reduce the risk of hacking, which is also prevalent in most of these countries. There was and remains an issue with Asia, because Australia is administered by APNIC, the same registrar which administers China, Japan, etc. but since I get relatively little interest from Australia, I decided it was worth the sacrifice.
I ran into a problem with table space (which is managed by my ISP). Initially I could only employ around 120 rules, but after discussion with my ISP I managed to get that doubled. Because of the limited number of rules, I can't always add new rules when new domains become active spammers, so periodically I have to delete inactive filters to allow me to add active ones. Mu current tables are as follows if anyone wants to use them:
iptables -A INPUT -s 41.196.0.0/16 -j DROP
iptables -A INPUT -s 41.248.0.0/14 -j DROP
iptables -A INPUT -s 58.0.0.0/7 -j DROP
iptables -A INPUT -s 60.0.0.0/7 -j DROP
iptables -A INPUT -s 62.16.0.0/16 -j DROP
iptables -A INPUT -s 62.21.0.0/17 -j DROP
iptables -A INPUT -s 62.24.64.0/18 -j DROP
iptables -A INPUT -s 62.109.0.0/16 -j DROP
iptables -A INPUT -s 62.135.0.0/17 -j DROP
iptables -A INPUT -s 62.148.128.0/19 -j DROP
iptables -A INPUT -s 62.215.0.0/16 -j DROP
iptables -A INPUT -s 69.79.0.0/16 -j DROP
iptables -A INPUT -s 77.40.0.0/15 -j DROP
iptables -A INPUT -s 77.45.0.0/16 -j DROP
iptables -A INPUT -s 77.46.0.0/15 -j DROP
iptables -A INPUT -s 77.50.0.0/15 -j DROP
iptables -A INPUT -s 77.81.0.0/16 -j DROP
iptables -A INPUT -s 77.85.0.0/16 -j DROP
iptables -A INPUT -s 77.91.0.0/18 -j DROP
iptables -A INPUT -s 77.120.0.0/14 -j DROP
iptables -A INPUT -s 77.236.0.0/16 -j DROP
iptables -A INPUT -s 77.241.32.0/20 -j DROP
iptables -A INPUT -s 77.252.0.0/14 -j DROP
iptables -A INPUT -s 78.0.0.0/14 -j DROP
iptables -A INPUT -s 78.36.0.0/14 -j DROP
iptables -A INPUT -s 78.56.0.0/13 -j DROP
iptables -A INPUT -s 78.84.0.0/15 -j DROP
iptables -A INPUT -s 78.102.0.0/15 -j DROP
iptables -A INPUT -s 78.106.0.0/15 -j DROP
iptables -A INPUT -s 78.109.16.0/17 -j DROP
iptables -A INPUT -s 78.131.0.0/16 -j DROP
iptables -A INPUT -s 78.139.0.0/16 -j DROP
iptables -A INPUT -s 78.160.0.0/11 -j DROP
iptables -A INPUT -s 79.112.0.0/13 -j DROP
iptables -A INPUT -s 79.120.0.0/16 -j DROP
iptables -A INPUT -s 79.125.128.0/17 -j DROP
iptables -A INPUT -s 79.139.0.0/16 -j DROP
iptables -A INPUT -s 79.140.128.0/18 -j DROP
iptables -A INPUT -s 79.184.0.0/13 -j DROP
iptables -A INPUT -s 80.48.0.0/13 -j DROP
iptables -A INPUT -s 80.96.188.0/22 -j DROP
iptables -A INPUT -s 80.98.0.0/15 -j DROP
iptables -A INPUT -s 80.128.0.0/11 -j DROP
iptables -A INPUT -s 80.188.0.0/16 -j DROP
iptables -A INPUT -s 80.243.144.0/20 -j DROP
iptables -A INPUT -s 80.252.128.0/19 -j DROP
iptables -A INPUT -s 81.13.0.0/17 -j DROP
iptables -A INPUT -s 81.30.192.0/19 -j DROP
iptables -A INPUT -s 81.88.0.0/16 -j DROP
iptables -A INPUT -s 81.176.0.0/15 -j DROP
iptables -A INPUT -s 81.190.0.0/16 -j DROP
iptables -A INPUT -s 81.192.0.0/16 -j DROP
iptables -A INPUT -s 81.198.0.0/16 -j DROP
iptables -A INPUT -s 81.214.0.0/15 -j DROP
iptables -A INPUT -s 81.222.0.0/16 -j DROP
iptables -A INPUT -s 82.76.0.0/14 -j DROP
iptables -A INPUT -s 82.114.0.0/16 -j DROP
iptables -A INPUT -s 82.119.128.0/19 -j DROP
iptables -A INPUT -s 82.131.128.0/17 -j DROP
iptables -A INPUT -s 82.135.128.0/17 -j DROP
iptables -A INPUT -s 82.138.0.0/18 -j DROP
iptables -A INPUT -s 82.150.160.0/19 -j DROP
iptables -A INPUT -s 82.201.128.0/17 -j DROP
iptables -A INPUT -s 82.204.128.0/17 -j DROP
iptables -A INPUT -s 82.207.0.0/17 -j DROP
iptables -A INPUT -s 83.0.0.0/11 -j DROP
iptables -A INPUT -s 83.103.0.0/16 -j DROP
iptables -A INPUT -s 83.131.0.0/16 -j DROP
iptables -A INPUT -s 83.144.64.0/18 -j DROP
iptables -A INPUT -s 83.145.128.0/18 -j DROP
iptables -A INPUT -s 83.167.0.0/17 -j DROP
iptables -A INPUT -s 83.237.0.0/16 -j DROP
iptables -A INPUT -s 83.238.0.0/15 -j DROP
iptables -A INPUT -s 84.0.0.0/14 -j DROP
iptables -A INPUT -s 84.10.0.0/16 -j DROP
iptables -A INPUT -s 84.32.0.0/16 -j DROP
iptables -A INPUT -s 84.38.0.0/19 -j DROP
iptables -A INPUT -s 84.42.0.0/16 -j DROP
iptables -A INPUT -s 84.47.0.0/16 -j DROP
iptables -A INPUT -s 84.55.0.0/17 -j DROP
iptables -A INPUT -s 84.204.0.0/16 -j DROP
iptables -A INPUT -s 85.14.64.0/18 -j DROP
iptables -A INPUT -s 85.21.0.0/16 -j DROP
iptables -A INPUT -s 85.28.0.0/16 -j DROP
iptables -A INPUT -s 85.30.64.0/18 -j DROP
iptables -A INPUT -s 85.66.0.0/15 -j DROP
iptables -A INPUT -s 85.70.0.0/15 -j DROP
iptables -A INPUT -s 85.72.0.0/14 -j DROP
iptables -A INPUT -s 85.91.128.0/19 -j DROP
iptables -A INPUT -s 85.94.0.0/16 -j DROP
iptables -A INPUT -s 85.96.0.0/12 -j DROP
iptables -A INPUT -s 85.118.64.0/18 -j DROP
iptables -A INPUT -s 85.128.0.0/16 -j DROP
iptables -A INPUT -s 85.130.0.0/17 -j DROP
iptables -A INPUT -s 85.132.0.0/16 -j DROP
iptables -A INPUT -s 85.135.0.0/16 -j DROP
iptables -A INPUT -s 85.140.0.0/14 -j DROP
iptables -A INPUT -s 85.172.0.0/14 -j DROP
iptables -A INPUT -s 85.185.128.0/17 -j DROP
iptables -A INPUT -s 85.186.0.0/15 -j DROP
iptables -A INPUT -s 85.204.0.0/16 -j DROP
iptables -A INPUT -s 85.207.0.0/16 -j DROP
iptables -A INPUT -s 85.216.128.0/17 -j DROP
iptables -A INPUT -s 85.221.128.0/17 -j DROP
iptables -A INPUT -s 85.222.0.0/16 -j DROP
iptables -A INPUT -s 85.248.0.0/15 -j DROP
iptables -A INPUT -s 85.254.0.0/16 -j DROP
iptables -A INPUT -s 85.255.96.0/19 -j DROP
iptables -A INPUT -s 86.34.0.0/15 -j DROP
iptables -A INPUT -s 86.57.128.0/17 -j DROP
iptables -A INPUT -s 86.63.64.0/18 -j DROP
iptables -A INPUT -s 86.96.0.0/14 -j DROP
iptables -A INPUT -s 86.100.0.0/15 -j DROP
iptables -A INPUT -s 86.104.0.0/14 -j DROP
iptables -A INPUT -s 86.110.160.0/19 -j DROP
iptables -A INPUT -s 86.120.0.0/13 -j DROP
iptables -A INPUT -s 87.97.0.0/16 -j DROP
iptables -A INPUT -s 87.103.128.0/17 -j DROP
iptables -A INPUT -s 87.105.0.0/16 -j DROP
iptables -A INPUT -s 87.116.128.0/18 -j DROP
iptables -A INPUT -s 87.117.0.0/18 -j DROP
iptables -A INPUT -s 87.120.0.0/15 -j DROP
iptables -A INPUT -s 87.126.0.0/16 -j DROP
iptables -A INPUT -s 87.128.0.0/10 -j DROP
iptables -A INPUT -s 87.202.0.0/15 -j DROP
iptables -A INPUT -s 87.204.0.0/14 -j DROP
iptables -A INPUT -s 87.224.128.0/17 -j DROP
iptables -A INPUT -s 87.226.0.0/16 -j DROP
iptables -A INPUT -s 87.228.0.0/17 -j DROP
iptables -A INPUT -s 87.230.0.0/16 -j DROP
iptables -A INPUT -s 87.236.0.0/18 -j DROP
iptables -A INPUT -s 87.237.112.0/21 -j DROP
iptables -A INPUT -s 87.241.0.0/16 -j DROP
iptables -A INPUT -s 87.245.128.0/18 -j DROP
iptables -A INPUT -s 87.248.64.0/19 -j DROP
iptables -A INPUT -s 87.248.160.0/19 -j DROP
iptables -A INPUT -s 87.251.0.0/16 -j DROP
iptables -A INPUT -s 88.84.192.0/19 -j DROP
iptables -A INPUT -s 88.100.0.0/14 -j DROP
iptables -A INPUT -s 88.147.128.0/17 -j DROP
iptables -A INPUT -s 88.156.0.0/16 -j DROP
iptables -A INPUT -s 88.199.0.0/16 -j DROP
iptables -A INPUT -s 88.201.0.0/16 -j DROP
iptables -A INPUT -s 88.204.128.0/17 -j DROP
iptables -A INPUT -s 88.205.0.0/16 -j DROP
iptables -A INPUT -s 88.207.0.0/16 -j DROP
iptables -A INPUT -s 88.224.0.0/11 -j DROP
iptables -A INPUT -s 89.20.128.0/19 -j DROP
iptables -A INPUT -s 89.32.0.0/12 -j DROP
iptables -A INPUT -s 89.64.0.0/12 -j DROP
iptables -A INPUT -s 89.102.0.0/15 -j DROP
iptables -A INPUT -s 89.106.0.0/18 -j DROP
iptables -A INPUT -s 89.108.0.0/16 -j DROP
iptables -A INPUT -s 89.109.0.0/18 -j DROP
iptables -A INPUT -s 89.110.0.0/16 -j DROP
iptables -A INPUT -s 89.120.0.0/14 -j DROP
iptables -A INPUT -s 89.132.0.0/14 -j DROP
iptables -A INPUT -s 89.136.0.0/15 -j DROP
iptables -A INPUT -s 89.142.0.0/16 -j DROP
iptables -A INPUT -s 89.147.64.0/18 -j DROP
iptables -A INPUT -s 89.149.0.0/16 -j DROP
iptables -A INPUT -s 89.151.128.0/17 -j DROP
iptables -A INPUT -s 89.160.0.0/11 -j DROP
iptables -A INPUT -s 89.208.0.0/16 -j DROP
iptables -A INPUT -s 89.210.0.0/15 -j DROP
iptables -A INPUT -s 89.212.0.0/16 -j DROP
iptables -A INPUT -s 89.215.0.0/16 -j DROP
iptables -A INPUT -s 89.216.0.0/16 -j DROP
iptables -A INPUT -s 89.218.0.0/15 -j DROP
iptables -A INPUT -s 89.223.0.0/16 -j DROP
iptables -A INPUT -s 89.228.0.0/14 -j DROP
iptables -A INPUT -s 89.248.80.0/20 -j DROP
iptables -A INPUT -s 90.150.0.0/16 -j DROP
iptables -A INPUT -s 90.156.0.0/16 -j DROP
iptables -A INPUT -s 90.188.0.0/15 -j DROP
iptables -A INPUT -s 91.76.0.0/14 -j DROP
iptables -A INPUT -s 91.122.0.0/16 -j DROP
iptables -A INPUT -s 91.124.0.0/16 -j DROP
iptables -A INPUT -s 91.139.0.0/16 -j DROP
iptables -A INPUT -s 91.140.0.0/16 -j DROP
iptables -A INPUT -s 91.144.128.0/18 -j DROP
iptables -A INPUT -s 92.112.0.0/15 -j DROP
iptables -A INPUT -s 116.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/13 -j DROP
iptables -A INPUT -s 117.24.0.0/13 -j DROP
iptables -A INPUT -s 117.104.192.0/18 -j DROP
iptables -A INPUT -s 118.68.0.0/14 -j DROP
iptables -A INPUT -s 121.0.0.0/8 -j DROP
iptables -A INPUT -s 122.0.0.0/7 -j DROP
iptables -A INPUT -s 124.0.0.0/7 -j DROP
iptables -A INPUT -s 140.128.0.0/13 -j DROP
iptables -A INPUT -s 148.208.0.0/12 -j DROP
iptables -A INPUT -s 157.157.0.0/16 -j DROP
iptables -A INPUT -s 159.148.0.0/16 -j DROP
iptables -A INPUT -s 168.226.0.0/16 -j DROP
iptables -A INPUT -s 189.0.0.0/8 -j DROP
iptables -A INPUT -s 190.0.0.0/8 -j DROP
iptables -A INPUT -s 194.6.216.0/21 -j DROP
iptables -A INPUT -s 194.67.0.0/16 -j DROP
iptables -A INPUT -s 194.186.0.0/16 -j DROP
iptables -A INPUT -s 194.219.0.0/16 -j DROP
iptables -A INPUT -s 195.2.96.0/19 -j DROP
iptables -A INPUT -s 195.131.0.0/16 -j DROP
iptables -A INPUT -s 195.205.0.0/16 -j DROP
iptables -A INPUT -s 195.222.112.0/20 -j DROP
iptables -A INPUT -s 195.229.0.0/16 -j DROP
iptables -A INPUT -s 196.0.0.0/8 -j DROP
iptables -A INPUT -s 200.0.0.0/6 -j DROP
iptables -A INPUT -s 207.248.0.0/15 -j DROP
iptables -A INPUT -s 210.0.0.0/7 -j DROP
iptables -A INPUT -s 212.12.0.0/19 -j DROP
iptables -A INPUT -s 212.15.0.0/16 -j DROP
iptables -A INPUT -s 212.33.128.0/17 -j DROP
iptables -A INPUT -s 212.71.128.0/18 -j DROP
iptables -A INPUT -s 212.76.0.0/17 -j DROP
iptables -A INPUT -s 212.96.0.0/16 -j DROP
iptables -A INPUT -s 212.128.0.0/9 -j DROP
iptables -A INPUT -s 213.76.0.0/16 -j DROP
iptables -A INPUT -s 213.85.0.0/16 -j DROP
iptables -A INPUT -s 213.91.128.0/17 -j DROP
iptables -A INPUT -s 213.141.128.0/19 -j DROP
iptables -A INPUT -s 213.143.64.0/19 -j DROP
iptables -A INPUT -s 213.163.96.0/19 -j DROP
iptables -A INPUT -s 213.167.32.0/19 -j DROP
iptables -A INPUT -s 213.179.224.0/19 -j DROP
iptables -A INPUT -s 213.197.128.0/16 -j DROP
iptables -A INPUT -s 213.220.192.0/18 -j DROP
iptables -A INPUT -s 217.15.128.0/19 -j DROP
iptables -A INPUT -s 217.20.128.0/18 -j DROP
iptables -A INPUT -s 217.148.192.0/19 -j DROP
iptables -A INPUT -s 217.150.32.0/19 -j DROP
iptables -A INPUT -s 217.164.0.0/15 -j DROP
iptables -A INPUT -s 218.0.0.0/7 -j DROP
iptables -A INPUT -s 220.0.0.0/7 -j DROP
iptables -A INPUT -s 222.0.0.0/8 -j DROP
Full Version: LINUX IPTABLES cuts my spam by 40-50%
A couple of things I forgot to mention.
A side benefit of this approach is that when a bot which is blocked by the rules attempts to send to my server, it hangs about waiting for a response until a timeout occurs. This has two beneficial effects:
a) it slows down the infected computer, possibly prompting the owner to suspect that there is something wrong and getting it checked.
It reduces spam throughput.
The worst offenders (following filtering) are:
1. United States - 32%
2. Germany - 7.5%
3. Russian Federation - 7.5%
4. France - 6.5%
5. United Kingdom - 5%
6. Spain - 4%
7. Israel - 3.2%
8. Poland - 3%
9. Italy - 2.3%
10. Canada - 1.6%
Total 70.6% of received spam.
A side benefit of this approach is that when a bot which is blocked by the rules attempts to send to my server, it hangs about waiting for a response until a timeout occurs. This has two beneficial effects:
a) it slows down the infected computer, possibly prompting the owner to suspect that there is something wrong and getting it checked.
It reduces spam throughput.The worst offenders (following filtering) are:
1. United States - 32%
2. Germany - 7.5%
3. Russian Federation - 7.5%
4. France - 6.5%
5. United Kingdom - 5%
6. Spain - 4%
7. Israel - 3.2%
8. Poland - 3%
9. Italy - 2.3%
10. Canada - 1.6%
Total 70.6% of received spam.
QUOTE(ufo-joe @ Mar 25 2008, 09:07 AM) 
...I then started to consruct IPTABLES rules which blocked not only SMTP connections, but any type of connection from large IP blocks in these countries. ...
Yep, it works - blocked a 203.something query to port 80.QUOTE(ufo-joe @ Mar 25 2008, 09:07 AM)
...There was and remains an issue with Asia, because Australia is administered by APNIC, the same registrar which administers China, Japan, etc. but since I get relatively little interest from Australia, ...
Even less now.QUOTE(ufo-joe @ Mar 25 2008, 09:07 AM)
... I decided it was worth the sacrifice. ...
Yeah, well, we haven't done much for the old country lately anyway. 
Your server, your rules, glad to hear you have a solution that suits you.
QUOTE(ufo-joe @ Mar 24 2008, 05:07 PM)
I rent webspace including a mailserver, and I am getting walloped by spam daily.
You don't have a "catch-all" email function active, do you?
DT
Where do you find information about countries and IP ranges? I would like to build a similar list but with different countries (for example, I should not block Italy as I own an italian site....!)
QUOTE(mythsmith @ Mar 26 2008, 06:48 PM)
Where do you find information about countries and IP ranges? I would like to build a similar list but with different countries (for example, I should not block Italy as I own an italian site....!)
The work has already been done.
Copying from another thread
News flash! In the SC email account blacklists, JT has swapped out the old "blackholes.us" options (Argentina, Brazil, and Nigeria) for the list at "countries.nerd.dk/more.html."
DT
= which got me to :-
Recently, a zz.countries.nerd.dk zone has been added, enabling you to do a single lookup and find the country of a given IP address - the zz-zone uses ISO 3166 Number codes encoded in the last two octets of the reply, for example a lookup of an IP address in Denmark would give a reply of 127.0.0.208 (208=Denmark), while a US IP would give 127.0.3.72 (3*256+72=840=USA)
240 = http://countries.nerd.dk/isolist.txt
I understand very little of your post, anyway I do not need a name server to query but a static list of ranges to feed iptables with, as done in the first post of the thread.
QUOTE(mythsmith @ Mar 26 2008, 03:02 PM)
I understand very little of your post, anyway I do not need a name server to query but a static list of ranges to feed iptables with, as done in the first post of the thread.
This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....
And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?
QUOTE(Wazoo @ Mar 26 2008, 04:44 PM)
This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....
And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?
And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?
No time right now, but there was recently a thread which included a website to build an .htaccess entry for specific countries. Probably in the Geeks section.
Hi David,
Yes, I do, but that gets relatively little activity. I am active on half-a-dozen mail lists (including one administered by me), and it is mainly on addresses I use for those which I get clobbered.
Cheers,
Joe
QUOTE(DavidT @ Mar 26 2008, 02:00 PM)
You don't have a "catch-all" email function active, do you?
Yes, I do, but that gets relatively little activity. I am active on half-a-dozen mail lists (including one administered by me), and it is mainly on addresses I use for those which I get clobbered.
Cheers,
Joe
QUOTE(Wazoo @ Mar 26 2008, 09:44 PM)
This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....
Well, I can update it anytime it is needed...
QUOTE(Wazoo @ Mar 26 2008, 09:44 PM)
And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?
And could you adsorb the performance impact of doing a geoiplookup everytime you get an ip packet?
The best thing to do would be to do a posteriori geoiplookups on web server or mail server logs, and dynamically blacklist only those blocks that are active sending stuff from the selected area.
For example, I want to block Asia. Once a day I do some geoip on pieces of my mail/web logs and block only those asian blocks that appear active, removing from the blacklist those which wasn't active say in last 6 months. And anytime spamassassin classifies as spam an email coming from an asian address, the parent ip range will be immediately blacklisted.
Hi Mythsmith,
Europe is a particularly difficult area to write filters for. The adminstrative agency is RIPE, and for some reason, the address space allocated by RIPE is very fragmented, often being allocated in small chunks of addresses.
The way I have been managing my filters involves obtaining the sending IP address from the Spamcop reporting output, then entering the address into 'whois' at http://www.domaintools.com. This provides the subnet mask in CDIR form. I thrn check addresses above and below the specified CDIR to see if I can reasonably expand the addresses covered - for instance, it may be an address range in poland that I have reported, but the adjacent addresses might make up a /17 range could be in Romania and Greece, in which case I enlarge the CDIR accordingly. This is because I don't expect traffic from those countries and I get significant amounts of spam from them as well.
If you (or anyone else that wants a copy) send me your email address via PM, I will happily send you copies of my working spreadsheet which contains a lot of information along the lines you require.
Cheers,
Joe
QUOTE(mythsmith @ Mar 26 2008, 06:48 PM)
Where do you find information about countries and IP ranges? I would like to build a similar list but with different countries (for example, I should not block Italy as I own an italian site....!)
Europe is a particularly difficult area to write filters for. The adminstrative agency is RIPE, and for some reason, the address space allocated by RIPE is very fragmented, often being allocated in small chunks of addresses.
The way I have been managing my filters involves obtaining the sending IP address from the Spamcop reporting output, then entering the address into 'whois' at http://www.domaintools.com. This provides the subnet mask in CDIR form. I thrn check addresses above and below the specified CDIR to see if I can reasonably expand the addresses covered - for instance, it may be an address range in poland that I have reported, but the adjacent addresses might make up a /17 range could be in Romania and Greece, in which case I enlarge the CDIR accordingly. This is because I don't expect traffic from those countries and I get significant amounts of spam from them as well.
If you (or anyone else that wants a copy) send me your email address via PM, I will happily send you copies of my working spreadsheet which contains a lot of information along the lines you require.
Cheers,
Joe
QUOTE(Wazoo @ Mar 26 2008, 08:44 PM)
This part of the answer you seemed to have missed ..... the rarity of "lists of Country IP Addresses" is because the assignment of IP Addresses (Blocks) is NOT 'static' ....
Not only is it not static, but spam traffic periodically disappears and reappears from some ranges. Another reason for occasionally removing ranges from the banned list (most eventually become active again, but not all).
QUOTE
And just to toss up another side of using a massive list like the example ..... can you absorb the performance impact?
This is an interesting point - although the server has to validate every packet against the table, it doesn't have to process dropped traffic (portscans, brute-force password attacks, and SMTP, for instance), so there might actually be a reduction in load. It hasn't caused me any problems and I run an active forum, website, and mail list on the server.
Cheersm
Joe
QUOTE(StevenUnderwood @ Mar 26 2008, 07:56 PM)
No time right now, but there was recently a thread which included a website to build an .htaccess entry for specific countries. Probably in the Geeks section.
Just back from my business trip. The site I was talking about is: http://blockacountry.com/
Since I opened this thread, my server has been under what appears to be either a series of DoS attacks, or attempts to discover the active filters.
If this is someone on this forum testing my filters, please desist, I have enough genuine hacking attempts to deal with without the logs filling up with 'tests'. If it was someone on here with benign intentions, please let me know via PM (no action will be taken). I will treat further attacks as hostile following this post.
Cheers,
Joe
If this is someone on this forum testing my filters, please desist, I have enough genuine hacking attempts to deal with without the logs filling up with 'tests'. If it was someone on here with benign intentions, please let me know via PM (no action will be taken). I will treat further attacks as hostile following this post.
Cheers,
Joe
QUOTE(ufo-joe @ Apr 3 2008, 08:49 AM)
If this is someone on this forum testing my filters...
Highly unlikely....they would have posted to let you know what they were doing. We simply don't have that kind of people here.
DT
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.