> Does this process have to be so complicated ? Is there no easier way to > block offending IP addresses using iptables ?
So, first off, everybody's mail logs are loaded with spammers' failed attempts to send us mail. I consider it a badge of honor to have so many bozos turned down! However, as to the question, I've found that when I do need to block certain subsets of the Internet from connecting to my server, I get better mileage by adding entire subnets than doing it piecemeal. I look for patterns in the IP addresses that are causing me pain, then I do a whois on their IP address and get the subnet. I block the whole thing. After a few of those, I find that my bad traffic has subsided quite a bit. I ended up scaling way back on what I was blocking, though. The bad traffic was not really affecting my server's performance. I just grep the logs for the good stuff and ignore all the log entries that are postscreen doing its thing. I've got about 25MB of mail logs going back for a month, uncompressed. It's not worth it to stress out about the extra log entries to me. I just search for what I need and call it a day.
