Mikael Bak put forth on 12/9/2009 4:18 AM: > I understand why you avoid the real question. But hey - it's your server :-)
Do you? I have avoided it because these threads can quickly delve into childish mud slinging if the participants aren't civil thoughtful adults. I'm assuming we are all civil adults, and can have a valid thoughtful discussion. So, I will explain my configuration and the reasons for it. I smtp block a number of countries' IP space using ipdeny data (http://ipdeny.com/) and ccTLDs. The reason is simple mathematics. I receive or have received large amounts of spam from these netblocks. Given I have no legit direct senders (or 1, now, in the case of hungary) in those countries, it is simply a more efficient and more complete way to block spam from said sources without wasting time playing whack-a-mole. Just so you don't feel I'm singling out Hungary for some dishonorable or nefarious reason, here's my current country blocking scheme. Each entry was prompted by copious inbound spam attempts. Note that I'm not blocking every country in the world but the US, but countries that have been irritating sources of spam here. cidr=cidr:/etc/postfix/cidr_files smtpd_client_restrictions = check_client_access ${cidr}/china check_client_access ${cidr}/korea check_client_access ${cidr}/russia check_client_access ${cidr}/ukraine check_client_access ${cidr}/malaysia check_client_access ${cidr}/belarus check_client_access ${cidr}/indonesia check_client_access ${cidr}/hongkong check_client_access ${cidr}/africa check_client_access ${cidr}/romania check_client_access ${cidr}/thailand check_client_access ${cidr}/panama check_client_access ${cidr}/poland check_client_access ${cidr}/hungary check_client_access ${cidr}/spammer check_client_access ${cidr}/syptec check_client_access ${cidr}/hurricane-electric check_client_access ${cidr}/richk-1 check_client_access hash:/etc/postfix/coolsavings.access check_client_access hash:/etc/postfix/richk-1.access check_client_access pcre:/etc/postfix/access.pcre /etc/postfix/access.pcre # ban the following country TLDs in FQrDNS names /^.*?(an|lv|ec|id|ph|at|hu|tr|ee|dk|pl|ro|my|co|tw|br|za|do|cz|bg|by|kr|jp|fr|cn|ru)$/i 550 We do not accept mail from .$1 domains I've got some overlap, but they're checking different things. I've seen sending hosts in US colo facilities with .ru, .br, etc CCtLDS in FQrDNS and there's no legit reason I'd be receiving email from such anonymous web hosts. I've been running this config for many months now, parts of it for years. Your email was the first "false positive" generated by this configuration out of hundreds of thousands of connection attempts. ../spammer is my main US block file. The 5 following it are also deal with US spammers or spam supporting ISPs. Currently spammer has almost 1000 CIDRs ranging from /12s to /27s. It also has a few entries in other countries not covered by the method above. I don't use SA or any other content filtering. IMHO content filtering is a dead end. This works well for my site. YMMV. -- Stan
