A few months ago, I was in the unenviable position of receiving twenty or thirty SPAMs a day. I had registered a few domain names, and had gone to some public sites for tech support -- and somehow, my e-mail addresses had been harvested and sold over and over again on those million address CD's you often get e-mail about.
Now, I'm sort of an anal guy -- if someone does me dirty (like spamming me), I like nothing better than notching my keyboard to record an ISP shutdown. While the SPAM was coming from the US and Canada, I was notching my keyboard so often that it hurt to type. But then the sitch changed -- the SPAM started coming from Isreal, China, Central America, Italy, Portugal.
I complained to their ISPs, but to no avail. The ISPs in these places couldn't care less.
Now, my solution is not for the faint hearted -- you have to be prepared to not receive e-mail from entire countries! For example, I can no longer receive e-mail from any of the places listed above. In addition, you cannot have your e-mail server configured to route undeliverable e-mail to postmaster at your site. The reason for this is that spammers use every part of their victim -- when my domains began denying access to the spammer's e-mail servers, the spammers decided that my servers were not on the network any more -- and hence were a valid sink for the bounce messages which would invariably result from a list with substantial numbers of bad e-mail addresses. Hence, my e-mail server suddenly started getting bounce messages from mailservers in the United States who had received the SPAM, determined that the recipient was nonexistant, and were politely sending an "unable to deliver" message back to the purported sender -- always a fictitious e-mail address in one of my domains. I got a couple hundred of these before I figured out what was going on and restricted mail delivery only to valid addresses on my system (the rest get politely rejected).
So, to cut to the chase:
# /etc/sysconfig/iptables # all rules for the WAN (Internet) go here # the WAN is eth1 :WANINPUT - [0:0] # rules for accessing SMTP from the WAN go here :SMTP - [0:0] # short rule chain for logging and then accepting :LOGACCEPT - [0:0] ... # -A INPUT -i eth1 -j WANINPUT # -A WANINPUT -p tcp -m tcp --dport 25 --syn -j SMTP ... # these should be DROP but we are behind a NAT firewall # where DROP could be used for a DOS attack -A SMTP -s 61.0.0.0/8 -j REJECT -A SMTP -s 202.0.0.0/7 -j REJECT -A SMTP -s 210.0.0.0/7 -j REJECT -A SMTP -s 62.0.0.0/8 -j REJECT -A SMTP -s 195.3.0.0/16 -j REJECT -A SMTP -s 195.70.32.0/24 -j REJECT -A SMTP -s 217.0.0.0/8 -j REJECT -A SMTP -s 80.0.0.0/8 -j REJECT -A SMTP -s 218.0.0.0/8 -j REJECT -A SMTP -s 213.0.0.0/8 -j REJECT -A SMTP -j LOGACCEPT # -A LOGACCEPT -j LOG -A LOGACCEPT -j ACCEPT