Is there a better way to block spamers IP's than this?

Igor,

Thank you very much for your response. I just realized I did not
email the list for this, so I’m doing this now.

~Wayne

Where do you get your spammer IPs from? Most of the time, the IP are
spoofed, so there is no point in banning them. You could block them
temporarly, but if someone spoofs his IP with the same IP as the one
used by universities for instance, then you would end up blocking
legit access to your website.

yeah you have to deal with:

  • tor nodes (which do have a lot of legit traffic too)
  • http proxies
  • zombie dsl/cable connections acting as proxies
  • entire countries like china which seem to have an extreme amount of
    spam/abuse…

…etc…

on the smtp level, i do just that.

block china and korea because 90% of the spam we were getting
originated there
and we dont do any business with them.

On Mon, 2008-06-16 at 17:31 +0200, Thomas wrote:

Where do you get your spammer IPs from? Most of the time, the IP are
spoofed,

The IP can’t be spoofed if they intend to send you spam, otherwise
they’d never be able to negotiate the TCP handshake to send you the data
(the server’s side of the handshake would go to the spoofed address
rather than the spammer). IP spoofing only happens in certain types of
DoS and man-in-the-middle attacks and is unrelated to spam (I’m
disregarding trusted networks as I don’t think it applies here).

Spammers can spoof HTTP headers, but those are unreliable in most
cases anyway. The question in this case should probably be “where does
Nginx get remote_addr from?”, which I’m going to venture is from the TCP
socket information, not from client-provided HTTP headers (I’m not aware
of a HTTP 1.1 header that defines a client IP address, except perhaps
proxy headers such as “X-Forwarded-for” or similar, but those are in
addition to
the actual connection address).

As someone else pointed out, they might be using a proxy, but if so, I
don’t see the harm in blocking the proxy as they could rightfully be
seen as being a (un)willing collaborator (much like many dnsbl’s block
open mail relays).

As far as things like Tor and anonymous proxies… well, I guess that’s
part of the risk you take when you use such things. People have a right
to privacy but the owners of websites also have a right to know who is
using their site. If you use an anonymous proxy you should be aware
that it might impact your experience on the web, including the inability
to view some sites.

Personally, I block IP addresses at the firewall level and use “at” to
unblock them after a reasonable period (usually a week), to allow for
the possibility that a legitimate user might acquire that address and
also to keep my blacklists short. I don’t think maintaining a list of
banned IP’s in your Nginx config is going to be maintainable.

Regards,
Cliff