I'm trying to block my ISP from scanning port 25 and seeing a SMTP mail
server using my Win2K SP4 server's IPSEC policies.

I suspect they scan using an IP address in the following address range:
205.152.0.0 - 205.152.255.255 (CIDR=205.152.0.0/16)
( see http://ws.arin.net/whois/?queryinput=205.152.0.0 )

When I try to enter in this subnet, as IP=205.152.0.0, mask=255.255.0.0, in
the IPSec Policy editor's rule/IP filter list/filter properties, I get an
error:
"This is an invalid mask for the specified IP address."

How do I pull this off for Class B ranges above 192.0.0.0?