When I naively published my safe IP address blocking list, I didn't realize that what's safe for me might not be safe for you. In line with my article on anti-spam techniques that work, I'm still going to give you a basis for building your own.
The first thing you need to do is to put these lines at the top of your .htaccess file:
<Files *>
order deny,allow</Files>
Once you've done that, you only need to consider the blank line I left above. You will fill it with your own deny rules, like this:
deny from 123.456.0.0/16
deny from 123.567.15/.0/24
Those are not real IP address CIDRs. Anyway, you can put each on a single line or you can put multiple CIDRs on one line, separated by a space – don't repeat the "deny from" part if you're putting multiple CIDRs on a line.
I have found looking up IP ranges and CIDRs to be a bit of a bother. Nevertheless, it's the only way to know exactly what you're blocking. Here is the APNIC URL I use for everything: http://wq.apnic.net/apnic-bin/whois.pl
If an IP address won't resolve at APNIC (which is for Asia), you can try:
http://whois.arin.net/ui (for North America)
http://lacnic.net/cgi-bin/lacnic/whois?lg=EN (for Latin America/South America)
http://www.db.ripe.net/whois (for Europe)
I find that even some of the North American IP addresses will be listed on APNIC, so I always check that first. If you need to convert a range to a CIDR, the IP to CIDR tool does the trick. I have a lot of conversions memorized, so I rarely need it.
The best approach is to ignore dynamic IP addresses, like those that come from residential customers (like Cox, Comcast, Verizon, etc.). Even if they have a static IP address identified, it may be a mobile number which changes on every connection. Try to limit your CIDRs to server IP address ranges because that's where the majority of the spam comes from these days.