era eriksson wrote:
[snip]
What I've been doing is look at the first non-local IP address and
dump anything from hosts in the range 202.90.xxx.yyy to
202.199.xxx.yyy (actually I think 202.96-110 are the ones to look out
for but the too wide coverage hasn't been problematic, yet); here is
the recipe for that:
# My own little blacklist
:0
* RBLIP ?? [0-9]
* ? echo "$RBLIP" | grep -f $HOME/procmail/ip-block.txt
{ REJECT="$REJECT${REJECT:+$NL}${REJ}IP blocked in ip-block.txt: $RBLIP" }
where the file $HOME/procmail/ip-block.txt contains the following:
202\.9[0-9]\.[0-9]*\.
202\.1[0-9][0-9]\.[0-9]*\.
As for how to set RBLIP to the first non-local IP address, I again
refer you back to the earlier threads about this. Look for "Dnes", I
think Walter has been posting to or referred to in all relevant
threads. (They may not all be about Chinese spam.)
I've been taking a *much* simpler approach; no false positives yet:
:0
* ^Received:.*202\.(10|9)[0-9]\.[0-9]+\.[0-9]
spams.asia
I see no advantage in trying to fish out only the last "enemy IP"
in the Received: headers; if it's in any of them, it's either forged
or it went that route, and in either case should be spam. Note I'm
only doing 202.90 through 202.109; the only one where the most
recent non-local IP was outside that range (202.130.3.9)
also contained 202.106.175.27 in another Received: so the above got it.
(Yes, I know that if someone remails one (elm's "bounce") to me,
this will catch it... but that's only likely to happen and interest
me, if I ask someone to do that.)
Cheers,
Stan