On 8/25/2013 1:11 PM, Niclas Arndt wrote: > Hi, > > Sorry if this is slightly off-topic, but at least a bunch of experts > are listening. > > I am using Spamhaus (and other methods) and over time I have amassed > a list of IP ranges that (according to Spamhaus) shouldn't be > sending e-mail at all. One problem is that this list tends to become > quite long and another is that I would like to verify it so that I > don't eventually block legitimate e-mail. > > On the other hand, I would like to place as little a load as > possible on Spamhaus. > > Here are my questions: Is the iptables approach at all viable in the > long run? Is there any non-commercial way to upload a text file > containing spamming IP addresses and have it verified for correctness? > > Any other related response is of course welcome.
I use a postfix check_client_access table that I use as a whitelist/blacklist before the spamhaus lookup and other anti-spam checks. A hash (or even better, cdb) table can grow to millions of entries before it will place any significant load on postfix, so table size isn't really a concern. Since false positives are always concern, doing the rejects in postfix lets me see the sender and recipient before the mail is rejected. Something like: # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_client_access hash:/etc/postfix/whitelist-blacklist ... other anti-spam checks ... -- Noel Jones
