OT: Blocking persistent spammers using IPTables?

Alex Neuman alex at rtpty.com
Thu Apr 29 12:22:02 IST 2010

I believe Pat Morita put it best in "Karate Kid Part 2" when he said:

"Remember, best block, no be there."

So yes, using iptables definitely *is* the best way to go... As long as you're blocking smartly. MTA level blocks are better (even though they're more cpu intensive) only where you *need* to tell people "I'm not receiving mail from your IP for X and Y reason". If the definition you're using when blocking through iptables only includes conditions that would make it impossible for a legitimate user to be connecting to your server, then by all means implement it. If there is even a chance that a legitimate user will be connecting to your server from that IP address then dropping the traffic would add some time to the support call since you'd have to determine if the user's IP address is blacklisted at the firewall level.

On Apr 29, 2010, at 2:48 AM, hvdkooij wrote:

> Blocking based on iptables is very, ver light. Spawning another postfix
> process to handle the new connection and reject it is much more CPU
> intensive.

More information about the MailScanner mailing list