There's a guy who's been sending me hundreds of e-mails - it looks like he's infected with W32.Mytob.H@mm. I don't know who this person is, all I have is the IP address the e-mails are coming from.

What's the best way to block these e-mails automatically? With APF? With exim?

I'm not sure what is better to use between a ban in exim or a ban in apf.

A ban in exim means he will still connect to your server everytime he wants to send the mail, but exim will block it... That means exim will have to work to block it and use ressource...

I do recommend ( but i'm not a pro ) to use apf...
i think using the deny_hosts.rules file for your apf config is the best. Just add the IP at the end of the file...
Don't forget to restart apf...

I'm not sure what is better to use between a ban in exim or a ban in apf.

A ban in exim means he will still connect to your server everytime he wants to send the mail, but exim will block it... That means exim will have to work to block it and use ressource...

I do recommend ( but i'm not a pro ) to use apf...
i think using the deny_hosts.rules file for your apf config is the best. Just add the IP at the end of the file...
Don't forget to restart apf...

I blocked it using apf. Thanks for the info.

Can anyone point me in the right direction to do this please?

Many thanks.

You can edit the /etc/apf/deny_hosts.rules file via SSH to include the IP you want to block.

Make sure to list only one IP per line. Anything that has a "#" at the start of it is a comment and is there only for documentation purposes for you. So while it can be helpful to add a line to describe why the IP is there, it's not required.

Thanks very much indeed Robert.

Best regards.

Hi,

Instead of editing the /etc/apf/deny_hosts.rules file and restarting APF. You should do this:

/etc/apf/apf -d xxx.xxx.xxx.xxx {comment}

in a terminal window. Example:

/etc/apf/apf -d 123.456.789.123 {ADMIN: email flood}

This will deny all connection to the listed IP and put a comment in the rules file so you know why it is in there. If you are using BFD to auto block offending hosts you should clear this file monthly or quarterly.

Mike