Hi guys, I get this string from the mail logs and seems to me that something send a message to *@qq.com, is what I said correct? Code: Feb 14 13:47:09 mailserver amavis[25685]: (25685-20) Passed CLEAN, [59.50.129.210] [59.50.129.210] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, Message-ID: <126D8A9B611E75959AB7D203882778D9@uc>, mail_id: RzYVR7GFFqxh, Hits: 1.546, size: 8319, queued_as: 7389BA23B1, 753 ms thanks
I was under Spam attack. I have set up the /etc/fail2ban/jail.local in this way: Code: ## bantime of 3600 = 60*60 = one hour ## bantime of 86400 = 60*60*24 = one day ## bantime of 604800 = 60*60*24*7 = one week ## bantime of 2592000 = 60*60*24*30 = (approx) one month ## bantime of 31536000 = 60*60*24*365 = (approx) one year [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap port = pop3,pop3s,imap,imaps logpath = /var/log/mail.log maxretry = 20 findtime = 60 bantime = 86400 in the /etc/fail2ban/filter.d/dovecot-pop3imap.conf file I have written: Code: [Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconn$ ignoreregex = and then I have restarted the fail2ban software: Code: /etc/init.d/fail2ban restart then I have seen the IP of the spammer in the fail2ban log software as BANNNED! Thanks
Hi, Last monday, I found exactly 218 521 mail from the domain "qq.com" in the postqueue of a customer server. Each email adress was different, only the domain is the same. In 30 years of data processing, I never saw that ! So I blocked this domain and now it's clean. Jonas.