Stoping spam with postfix

Well Ihad some small troubles with spamers on postfix I found some commands to parse logs and get the user.
Sometimes the user password was compromised, we need search the users what is sending spam like:

zgrep 'sasl_method'  /var/log/mail.log* | grep "postfix/smtpd" | awk '{print $9}' |  sort -n | uniq -c | sort -n | tail

that return is

4342 sasl_username=tania.perez@xxxx.com
20980 sasl_username=veroa@xxxxx.com

Wow i see that two users login alot of times with the mailserver. That users are sending spam!

Lets check the ips was autheticating:

zgrep $1  /var/log/mail.log* | grep "postfix/smtpd"| grep  -v reject | awk '{print $7}' |uniq -c | sort -n | tail

127 client=unknown[180.249.13.35],
127 client=unknown[5.34.35.160],
127 client=unknown[95.46.242.232],
128 client=ip-46-73-42-28.bb.netbynet.ru[46.73.42.28],
131 client=host-static-89-35-202-29.moldtelecom.md[89.35.202.29],
134 client=unknown[78.175.102.232],
136 client=unknown[124.227.149.62],
137 client=unknown[176.196.97.244],
137 client=unknown[187.4.82.244],
139 client=ip-552f.proline.net.ua[93.126.85.47],

that ips are very strange, lets check the country from comes with whois or with geoiplookup

geoiplookup 93.126.85.47
GeoIP Country Edition: UA, Ukraine

That ip is not from mexico lets ban with this script:

    #!/bin/bash
    IPT=/sbin/iptables
    SPAMLIST="spamlist"
    SPAMDROPMSG="SPAM LIST DROP"
    BADIPS=$(egrep -v -E "^#|^$" blocked.ips)
    
    # create a new iptables list
    $IPT -N $SPAMLIST
    
    for ipblock in $BADIPS
    do
    $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
    $IPT -A $SPAMLIST -s $ipblock -j DROP
    done
    
    $IPT -I INPUT -j $SPAMLIST
    $IPT -I OUTPUT -j $SPAMLIST
    $IPT -I FORWARD -j $SPAMLIST