Since many attacks (mostly SSH bruteforce), mail and blog spam is comming from servers located in China and Korea, filtering the traffic from these countries is not such a bad idea. Some time ago, while reading about OpenBSD’s spamd, I’ve learned about this site where you can find the list of the network prefixes which are used in China and Korea. With a simple shell script (name it 500.get-china-korea-cidr) you can get the list of IP’s and format it for including in OpenBSD’s pf:

#!/bin/sh


if [ ! -d /etc/pf_rules ]
mkdir /etc/pf_rules
else
/usr/bin/fetch http://www.okean.com/sinokoreacidr.txt
cat sinokoreacidr.txt | cut -d ' ' -f 1 > /etc/pf_rules/china_and_korea.cidr

Put this script in /etc/periodic/weekly and make it executable (chmod +x /etc/periodic/weekly/500.get-china-korea-cidr).

Then you should enter the following rules in your /etc/pf.conf file:

table <blog_spammers> persist file "/etc/pf_rules/china_and_korea.cidr"

block in on $ext_if from <blog_spammers> to any

So now the script will update list of CIDR network prefixes weekly and pf will filter all the traffic comming from the network prefixes located in /etc/pf_rules/china_and_korea.cidr. If you don’t want to filter all the traffic from those netblocks, just write a selective filter rule instead of the one I’ve wrote here. Also, if you want to filter just the network prefixes which are known to be used by spammers for a long time, you can use the CIDR network prefix list from SPEWS.