#21 Ban Spammers on Mail Server

closed
None
5
2006-09-06
2006-09-05
Brian C
No

Spammers attempt to use my mail server to spam and are
rejected. It'd be nice if fail2ban could ban them, but
I'm not sure I understand the iptables syntax well
enough to write my own rules. Fail2ban would monitor
/var/log/mail.log and I see two types of spammers, both
of which could probably be banned based on matching
"Relay access denied"

Here are two examples, one where the IP address is
known and one where it is "unknown" but discernable:

Sep 4 23:04:42 localhost postfix/smtpd[9500]: connect
from c-68-83-249-184.hsd1.pa.comcast.net[68.83.249.184]
Sep 4 23:04:43 localhost postfix/smtpd[9500]: NOQUEUE:
reject: RCPT from
c-68-83-249-184.hsd1.pa.comcast.net[68.83.249.184]: 554
<terekhov.mail@mtu-net.ru>: Relay access denied;
from=<audv@ru.ru> to=<terekhov.mail@mtu-net.ru>
proto=SMTP helo=<c-68-83-249-184.hsd1.pa.comcast.net>
Sep 4 23:04:44 localhost postfix/smtpd[9500]: NOQUEUE:
reject: RCPT from
c-68-83-249-184.hsd1.pa.comcast.net[68.83.249.184]: 554
<phcmagazine@mtu-net.ru>: Relay access denied;
from=<audv@ru.ru> to=<phcmagazine@mtu-net.ru>
proto=SMTP helo=<c-68-83-249-184.hsd1.pa.comcast.net>
Sep 4 23:04:45 localhost postfix/smtpd[9500]: NOQUEUE:
reject: RCPT from
c-68-83-249-184.hsd1.pa.comcast.net[68.83.249.184]: 554
<tucha-bigboss@mtu-net.ru>: Relay access denied;
from=<audv@ru.ru> to=<tucha-bigboss@mtu-net.ru>
proto=SMTP helo=<c-68-83-249-184.hsd1.pa.comcast.net>
[...snip...]
Sep 4 23:05:01 localhost postfix/smtpd[9500]: too many
errors after RCPT from
c-68-83-249-184.hsd1.pa.comcast.net[68.83.249.184]
Sep 4 23:05:01 localhost postfix/smtpd[9500]:
disconnect from
c-68-83-249-184.hsd1.pa.comcast.net[68.83.249.184]

AND

Sep 4 23:05:29 localhost postfix/smtpd[9500]: connect
from unknown[220.70.217.37]
Sep 4 23:05:31 localhost postfix/smtpd[9500]: NOQUEUE:
reject: RCPT from unknown[220.70.217.37]: 554
<terekhov.mail@mtu-net.ru>: Relay access denied;
from=<audv@ru.ru> to=<terekhov.mail@mtu-net.ru>
proto=SMTP helo=<##.##.##.##>
Sep 4 23:05:32 localhost postfix/smtpd[9500]: NOQUEUE:
reject: RCPT from unknown[220.70.217.37]: 554
<yakovlex@mtu-net.ru>: Relay access denied;
from=<audv@ru.ru> to=<yakovlex@mtu-net.ru> proto=SMTP
helo=<##.##.##.##>
Sep 4 23:05:33 localhost postfix/smtpd[9500]: NOQUEUE:
reject: RCPT from unknown[220.70.217.37]: 554
<shnurok.rob@mtu-net.ru>: Relay access denied;
from=<audv@ru.ru> to=<shnurok.rob@mtu-net.ru>
proto=SMTP helo=<##.##.##.##>
[...snip...]
Sep 4 23:05:53 localhost postfix/smtpd[9500]: too many
errors after RCPT from unknown[220.70.217.37]
Sep 4 23:05:53 localhost postfix/smtpd[9500]:
disconnect from unknown[220.70.217.37]

Anyone know exactly what I could put in
/etc/fail2ban.conf to ban spammers like this? Thanks.

Discussion

  • Giuseppe Iuculano

    Logged In: YES
    user_id=1397687

    Hello,

    your request is for postfix log. My request is for qmail log
    (RBL)

    In my qmail log there are 2 log entry:

    1):
    Sep 6 07:33:33 HOST qmail: 1157520813.485077 rblsmtpd:
    211.33.185.247 pid 19597 sbl-xbl.spamhaus.org: 451
    http://www.spamhaus.org/query/bl?
    ip=211.33.185.247

    2:)

    Sep 6 07:18:29 sd6 qmail: 1157519909.633171 qmail-smtpd:
    421 badiprbl: ip 200.65.83.30 rbl:
    30.83.65.200.combined.njabl.org

    Can you give me a working failregex please?

    Many thanks

     
  • Cyril Jaquier

    Cyril Jaquier - 2006-09-06

    Logged In: YES
    user_id=933467

    Hi,

    For Postfix:

    failregex = reject: RCPT from (.*)\[(?P<host>\S*)\]: 554

    For qmail:

    failregex = : (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip
    )(?P<host>\S*)

    Thanks to Giuseppe Iuculano for the qmail regex.

     
  • Cyril Jaquier

    Cyril Jaquier - 2006-09-06
    • assigned_to: nobody --> lostcontrol
    • status: open --> closed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks