On 06/22/2010 02:30 PM, Phil Howard wrote:
I saw fail2ban discussed in another thread. I was wondering if anyone
here have used it to block based on spamtraps. I want to set up a
number of dummy users and splatter their email addresses where
spammers would get at them (e.g. white on white text on web pages,
etc). Then ban the IPs that try to send to N or more of those
addresses, where N is relatively low, like 2.
This doesn't do exactly what you want; it only allows one attempt on a
spamtrap address. Add more regexen and increase maxretry to taste.
A word of caution: don't assume that everyone browses the web using a
graphical web browser. People still browse from the command line, and
more importantly, screen readers for the disabled. If you're going to
hide an address, make sure that there is some indication (for humans)
that the address should not be contacted under any circumstances.
# jail.conf
[spamtrap-iptables]
# Be extra mean to these hosts. The bantime is 28 days.
enabled = true
bantime = 2419200
findtime = 86400
maxretry = 1
filter = spamtrap
action = iptables[name=spamtrap, port=smtp, protocol=tcp]
logpath = /var/log/mail/mail.log
# filter.d/spamtrap.conf
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5\.1\.1
<addr...@example\.com>
You will probably also need to configure the 'iptables' action, and some
part of your iptables config. Snippets from mine won't help you much,
but basically, I append banned addresses to a new fail2ban-<name> table,
and then insert this table into my standard chain at a particular
position during actionstart.
(I also mail myself the output of iptables -L -n, so that I can verify
that nothing has gone haywire.)
