Hi all, I've got a question about a possible regex, maybe someone can help to tell me if it is possible.
On a postfix server, fail2ban can block reject connection, or multiples tries. But, is it possible to make him block the servers which made a junk mail? For example, on /var/log/maillog, when a server is connected and make a junk, we've got the lines: Oct 14 03:22:37 myserver postfix/smtpd[31362]: connect from unknown[31.31.126.189] Oct 14 03:22:38 myserver postfix/smtpd[31362]: 3A5A9606BB: client=unknown[31.31.126.189] Oct 14 03:22:38 myserver postfix/cleanup[31366]: 3A5A9606BB: message-id=<[email protected]> Oct 14 03:22:39 myserver postfix/qmgr[2110]: 3A5A9606BB: from=<[email protected]>, size=66836, nrcpt=1 (queue active) Oct 14 03:22:40 myserver postfix/pipe[31367]: 3A5A9606BB: to=<[email protected]>, relay=spamassassin, delay=2.1, delays=1.2/0.01/0/0.83, dsn=2.0.0, status=sent (delivered via spamassassin service) Oct 14 03:22:40 myserver dovecot: lda(myaddress): sieve: msgid=<[email protected]>: stored mail into mailbox 'Junk' Oct 14 03:22:40 myserver postfix/qmgr[2110]: 3A5A9606BB: removed Can we make a regex to fail2ban search the IP of server who have generated a 'Junk' mail, to ban it ? It's a little tricky because we need to filter all lines with 'Junk', to get the name of msgid ([email protected]), to get the transaction ID (3A5A9606BB), to get the IP address (31.31.126.189).... If I can find the way to do it, it could block a lot of junk mail before the spammer make transactions (and load on the system). Maybe someone know how to do it? Thanks, Nicolas <[email protected]> Nicolas Repentin <[email protected]>
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
