I have a spambot that likes to spam my websites. I mailed to abuse@isp, but he ignored me.
Attacks always come from the same ip, and i used IISIP to add the spammer IP to all of my websites.
I am wondering, since i am using a linux box with shorewall as a firewall... maybe is better to filter at that level?
Which one has better performance with a list that might grow and become huge? IIS giving a 403 page to the spammers, or shorewall dropping the connections?
If you are getting a lot of traffic from these spambots, then you are best to drop them at the firewall. Dropping at IIS means putting extra load on your web server (even if it is just serving 403 pages) and if it gets heavy then it could affect the performance for real users of your sites.
I'm not intimately familiar with Shorewall but I would also expect it is probably more efficient at this filtering than IIS will be.
Shorewall dropping is the best I guess. If you can get the IP addresses of these spammers you can dynamically block them with the command "shorewall drop/reject ipaddress'. You may even write a script which can do this in real time.
I agree with Sam. It's best to stop them at the perimiter of your network (at the firewall). Think of it like your office building or your home. Do you want to let the rogue into your office and hope that you've got everything inside secured and hope that you haven't forgotten or missed something or would you rather stop them at the door so that they can't get in at all?