Re: [Fail2ban-users] Fail2ban / postfix

[Nicolas Repentin]

Hi

This is a good idea :-)

Nicolas Repentin
<nico...@shivaserv.fr>


Le 15 octobre 2015 09:15, Iosif Fettich a écrit:
Hi Nicolas,

I've got a question about a possible regex, maybe someone can help to tell me 
if it is possible.

On a postfix server, fail2ban can block reject connection, or multiples tries.

But, is it possible to make him block the servers which made a junk mail?


For example, on /var/log/maillog, when a server is connected and make a junk, 
we've got the lines:

Oct 14 03:22:37 myserver postfix/smtpd[31362]: connect from 
unknown[31.31.126.189]
Oct 14 03:22:38 myserver postfix/smtpd[31362]: 3A5A9606BB: 
client=unknown[31.31.126.189]
Oct 14 03:22:38 myserver postfix/cleanup[31366]: 3A5A9606BB: 
message-id=<9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com>
Oct 14 03:22:39 myserver postfix/qmgr[2110]: 3A5A9606BB: from=<w...@inbox.ru>, 
size=66836, nrcpt=1 (queue active)
Oct 14 03:22:40 myserver postfix/pipe[31367]: 3A5A9606BB: 
to=<myaddr...@domain.fr>, relay=spamassassin, delay=2.1, 
delays=1.2/0.01/0/0.83, dsn=2.0.0, status=sent (delivered via spamassassin 
service)
Oct 14 03:22:40 myserver dovecot: lda(myaddress): sieve: 
msgid=<9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com>: stored mail into 
mailbox 'Junk'
Oct 14 03:22:40 myserver postfix/qmgr[2110]: 3A5A9606BB: removed

Can we make a regex to fail2ban search the IP of server who have generated a 
'Junk' mail, to ban it ? 

It's a little tricky because we need to filter all lines with 'Junk', to get 
the name of msgid (9564757297.rqc80a8v727...@bpuodlmuevlrerx.bfaiw.com), to get 
the transaction ID (3A5A9606BB), to get the IP address (31.31.126.189)....

If I can find the way to do it, it could block a lot of junk mail before the 
spammer make transactions (and load on the system).

Maybe someone know how to do it?

Maybe other would know better, but I think you have to take a two-step 
approach.

1) write a (crontab-based?) script that processes the above log and 
creates an extra 'junkers.log' log file, which has the info you neeed 
conveniently packed

2) write the regex to deal with your junkers.log file

Just a thought.

Best regards,

Iosif Fettich

------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users