I been playing with finding a way to reduce spam. I am debian user who has a ispconfig setup and noticed fail2ban has added some support for email but nothing to deal with "rejected: User unknown in local recipient table" messages Now I am not a expert. But one thing I know is security usualy causes lotsa problems when you try to go the extra mile. so I thought I would run it by some of you before I actualy sit down and start running it .. i will run it on one domain first to see if it makes a diffrence. I am unsure if it will effect email forwards though? anyones thoughts here is the filter I found on the net showing a 554 error from mail log here is what I am wanting to do with it is form it to block 550 errors and I could use some help so before I start losing mail and screw things up what do you think?! now I figure from my logs it looks like they try like 4-5 times.. how many ligit ones get through 4 5 mistakes and even if they do a delay is no big deal is it? not sure what I am talking about. then take a look at some of these from my mail.log these evil name harvesting bots eating up cpu time, memory and bandwidth. we can go on all day how bad spam is. ever little bit will helf x 10 fold So I am crying for some tips here!
i got rid of those with fail2ban. simply copy jail.conf to jail.local cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local edit jail.local enable: [postix] [courierauth] [sasl] and if you want you can enable [couriersmtp] and if you need [apache] [ssh] [proftpd] i didnt create custom filter and stuff ... used default values and it works. set retry to 3 times and you can set seconds as much as you want. Used Ubuntu 8.04 and after last update I hope fail2ban will work after restart and if not after restart of server: uninstall fail2ban install fail2ban on ubuntu: apt-get purge fail2ban apt-get install fail2ban to confirm that it is running: /etc/init.d/fail2ban restart no need to edit jail.local since file will not be deleted on uninstall.
so far so good I think its working I am running the new Debian (Lenny) apt-get install fail2ban and edit and add filter All I did was edit the stock file and add in additional jail. here is what I did in my jail.conf file. You can note the regular psotfix entry above mine. I just copied that one and added my name and retrys to 3 (make sure you enable) I called it postfix-spamers550 sorta wanted a name that represents it best. It will refine over time then I copied the regular postfix filter in the directory and resaved it as here it is Nice and simple then I restarted everything now I have one domain that gets hit like crazy and I moved it over to this test server and have had it running for at least a hour now and traffic has slowed down.. i mean I can actualy cat the mail.log |tail end of it and it does not move like it did I am still worried that therre is something I am not thinking of that blocking after 3 tries is gunna cause
Thank you Im blocking similar atack using ssh jail, i will add this on my mandriva servers, thank you for your time. Guys du u using pernament or temp blocking? I use pernament and my host.deny is quite large can be this integrated into DB (Mysql or Pg) ?
Testing fail2ban recepie Hi all, i set this rule to fail2ban and modified failregex for some smtp codes, recepie is from fail2ban wiki page. 550 relayng 450 mailbox isnt on server 554 relayng transaction now i testing this in my env. Code: failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
Can I do this in one file. I was not sure so I did a seperate file I know one thing is for sure . just doing 554 and 550 is working sooo nice. My traffic has slowed down large!. Now I only do this temp 50 mins or so.. i noticed in my logs I was getting alot of already banned. Maybe thats why you run yours permently? Hows that working out for you. do you get more hits that way. How are the complaints .. Have you lost anymail.. I was thinking of upping the temp time to say a full day beyond that I fear eventualy it could be a ligit email. I have mine testing on a test server I moved over some light traffic domains. One company gets alot of international stuff If the ipaddress or fake spoofs are common I figure they make it to the lists but if they are tottaly fake random generated info then I could one day miss a important email that would make someone mad .. Overall the fail2ban with what I did is making a huge diffrence.
very nice On my testing server (my whole domain ) all work very good now, i dont have strong internet connection, testing server is on ADSL, before this rule i see slow trafic, but now is faster, from morning when i apply rule i have 4 ip banned from postfix rule i made some info modification, whois for domain nothing special, same i have for ssh. Code: [postfix-tcpwrapper] enabled = true port = smtp,ssmtp filter = postfix action = hostsdeny mail-whois[name=Postfix, [email protected]] filter = postfix logpath = /var/log/mail/info.log This rule is mandriva specific, timeouts banntime atd. is defined globaly.
as you can see roughly its banning alot of traffic that normaly hits me hard .. always seems like 20 bots are hitting me at once .. now they are being stopped after a few tries. and as you can see on the already banned msgs that having it longer then 10 mins (the default ) is pretty important. I am watching it closly. I added more domains to this today so I am watching randomly greping to see if it looks ligit or not .. Anyone know how long I could hold the data .. I don't want to hold forever just at most a day or so but I also don't want to crash fail2ban might not be ment for it.. i will have to do some more reading on this wounderful tool
