Which IP do I need to ban scammer email

I got scam email from zcsend.net. This time the sender address is fake one. And I need to use fail2ban to ban it. However, they are many addresses here in the source which one should I ban?

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.elcolie.com
    by mail.elcolie.com with LMTP
    id CQu1FWy08mQ8UwEA83h3bQ
    (envelope-from <[email protected]>)
    for <[email protected]>; Sat, 02 Sep 2023 04:05:00 +0000
Received: from localhost (localhost [127.0.0.1])
    by mail.elcolie.com (Postfix) with ESMTP id 4F41E835F9
    for <[email protected]>; Sat,  2 Sep 2023 04:05:00 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=135.84.81.239; helo=sender-239.fsu3.zcsend.net; envelope-from=bounce_826278108+a.1ffd60557f594e44_gm1@mail18.psnd.zcsend.net; receiver=<UNKNOWN> 
Authentication-Results: mail.elcolie.com; dmarc=none (p=none dis=none) header.from=ahrdigital.com.br
Authentication-Results: mail.elcolie.com;
    dkim=pass (1024-bit key; unprotected) header.d=mail18.psnd.zcsend.net [email protected] header.a=rsa-sha256 header.s=k1 header.b=mfuyyvvw;
    dkim-atps=neutral
Received: from sender-239.fsu3.zcsend.net (sender-239.fsu3.zcsend.net [135.84.81.239])
    by mail.elcolie.com (Postfix) with ESMTPS id 4A931833FE
    for <[email protected]>; Sat,  2 Sep 2023 04:04:59 +0000 (UTC)
Received: from 172.30.236.109 by sender-239.fsu3.zcsend.net
    with SMTP id 169362748867145850; Fri, 01 Sep 2023 21:04:48 -0700
DKIM-Signature: a=rsa-sha256; b=mfuyyvvwcocf77Gr4eWhg010x1Vak0knteAbKgX+PiHKD2TdnhfbGOZHCItAcuEJSjZN2UGRM/dQMzI9WfytdauyhtACpvDVf+uIn6qRmlNkOn140NbFVuYPDUABu1IBCr6wEwXR2pLevy7Zz1vFWUEuRck+70wzVwMjrj7+yvE=; c=simple/simple; s=k1; d=mail18.psnd.zcsend.net; v=1; bh=LMN9EQQS8smfom6q8kw8Y3zjTellj/Oo1rnIjeRT56c=; h=date:from:to:message-id:subject:mime-version:content-type:list-unsubscribe:list-unsubscribe-post:x-csa-complaints;
Date: Fri, 1 Sep 2023 21:04:48 -0700 (PDT)
From: "Parcel Team" <[email protected]>
To: [email protected]
Message-ID: <zcb.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.1ffd60557f594e44.1693627488661@mail18.psnd.zcsend.net>
Subject: =?UTF-8?B?Tm90aWZpY2F0aW9uOsKgIENhc2UgTnVtYmVyICMzMzYxNzI=?=
MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_8830362_773276248.1693627488657"
List-Unsubscribe: <https://vldxa-cmpzourl.maillist-manage.com/ua/optout?od=3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d&rd=1ffd60557f594e44&sd=1ffd60557f57b0ef&n=11699e4c32dbb4c>,<mailto:[email protected]>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
X-CSA-Complaints: [email protected]
Reply-To: [email protected]
X-JID: 3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.1ffd60557f3f24e4
X-campaignid: zohocampaigns.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.zcb.1ffd60557f594e44.11699e4c32dbb4c
X-Zoho-RID: zohocampaigns.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.zcb.1ffd60557f594e44.11699e4c32dbb4c
X-Report-Abuse: <Please send a copy of this message along with header to abuse+3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d_zcb_1ffd60557f594e44@zohocampaigns.com>, <https://vldxa-cmpzourl.maillist-manage.com/campaigns/ReportAbuse.zc?od=3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d&rd=1ffd60557f594e44&sd=1ffd60557f57b0ef&n=11699e4c32dbb4c>

------=_Part_8830362_773276248.1693627488657
Content-Type: text/plain;charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I replace my real email address with [email protected]

Since my email server is using https://github.com/docker-mailserver/docker-mailserver I simply run docker exec 2834fea5aa2e setup fail2ban ban 135.84.81.239

Questions:

1. Am I correct?
2. Am I missing any concern?

Blacklisting a single Zoho server won't really do much. They've got a few more.

If you want to ban their servers in total, do it by host domain zcsend.net or by envelope FROM @(.*).psnd.zcsend.net>.

If you don't want to ban them entirely, all you've got left is a complaint.

Of course, you could also try filtering by header FROM but that is just too easily spoofed.

Fail2Ban is not designed for this

Why would you need to use Fail2Ban? Fail2Ban(1) is not for blocking spam, but...

a set of server and client programs to limit brute force authentication attempts.

DNS Real-time blackhole lists (RBL)

The IP address in the example, 135.84.81.239, is currently blacklisted in real-time blackhole lists (RBL):

• SpamCop Blocking List (bl.spamcop.net)
• JunkEmailFilter.com's HostKarma (hostkarma.junkemailfilter.com)

Instead of blocking individual IP addresses every time a spam gets through, you could utilize some external services that are already doing that in scale. In addition, most of them will remove the listing when the problem has been resolved.

There are many RBL providers having different kind of listings. You should analyse which of these lists are suitable for your needs. E.g.,

• Spamhaus
• blocklist.de
• SpamEatingMonkey
• SORBS (Spam and Open Relay Blocking System)
• Barracuda
• dan.me.uk (specialized in blocking Tor nodes)

Configuring RBLs in Postfix

Your headers show you are using Postfix. You can configure, e.g., SpamCop in your main.cf by adding a reject_rbl_client in smtpd_recipient_restrictions where it will be evaluated after full HELO, MAIL FROM & RCPT TO.

smtpd_recipient_restrictions =
    . . .
    reject_rbl_client bl.spamcop.net,
    . . .
    permit