I’ve decided to move all my blocking activities regarding IP-addresses out of the web- and mailserver-software, and put it straight at the front-door, at router or kernel-level using the famous netfilter-software iptables. Here’s one of my firewall script parts doing that:
IPS=$(grep -Ev “^#” $SORRYDB)
for i in $IPS
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
You can copy-paste this inside other iptables scripts you might already be using, like this example, or this one, just be sure it’s somewhere early enough in the rest of your firewalling (above all other drop rules is usually OK).
As a result I now have a specialized IP-blocklist that I maintain for the server you’re loading this from now, it contains addresses of net-users I don’t want spamming here, or don’t even want looking around wasting valuable server-resources.