Re: Blacklist honeypot senders
On 24 May 2019, at 12:52, Rafael Azevedo wrote: > > Hi there, > > I've done that by building a policy filter that bans those IPs using > iptables whenever those trap accounts get reached. Oh, well, that sounds lovely. Is it sharable? (shouldn't be much iss ti adapt it to pf) > It wasn't that easy, but its beautiful how it's working. > > Chain SPAMBLOCK (X references) > pkts bytes target prot opt in out source > destination >0 0 REJECT tcp -- * * 179.97.63.X > 0.0.0.0/0multiport dports 25,80,110,143,443,587,993,995 > reject-with icmp-port-unreachable Yep, that's exact.y what I want to do -- The Monks of Cool, whose tiny and exclusive monastery is hidden in a really cool and laid-back valley in the lower Ramtops, have a passing-out test for a novice. He is taken into a room full of all type of clothing and asked: Yo, my son, which of these is the most stylish thing to wear? And the correct answer is: Hey, whatever I select.
Re: Blacklist honeypot senders
Hi there, I've done that by building a policy filter that bans those IPs using iptables whenever those trap accounts get reached. It wasn't that easy, but its beautiful how it's working. Chain SPAMBLOCK (X references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 179.97.63.X 0.0.0.0/0multiport dports 25,80,110,143,443,587,993,995 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 138.59.146.X 0.0.0.0/0multiport dports 25,80,110,143,443,587,993,995 reject-with icmp-port-unreachable BR, Rafael Em sex, 24 de mai de 2019 às 13:35, @lbutlr escreveu: > > I have an active email address that only receives spam (it is an address that > wasn't used for years but I've recently reactive to see just how much spam an > unprotected decades old account that hasn't accepted mail since 2006 would > get). > > Anyway, what I would like to do is somehow blacklist any IP that sends mail > to that address for some period of time, configurable by me but not > necessarily dynamic. (That is, if I could specify 1 day or 3 hours for any > match, that is fine). > > I suspect that postfix might be able to do this through some sort of > helo_access check? I mean, I know managing the timeout would be outside of > postfix, but I can figure that part out easily enough. > > Or should I look at expanding the log matching in fail2ban instead? > > Or something obvious and clearly better? > > -- > 'Never build a dungeon you wouldn't be happy to spend the night in > yourself,' said the Patrician (...). 'The world would be a happier place > if more people remembered that.' --Guards! Guards! > > > >
Re: Blacklist honeypot senders
On 24 May 2019, at 11:23, Noel Jones wrote: > On 5/24/2019 11:33 AM, @lbutlr wrote: >> I have an active email address that only receives spam (it is an address >> that wasn't used for years but I've recently reactive to see just how much >> spam an unprotected decades old account that hasn't accepted mail since 2006 >> would get). >> Anyway, what I would like to do is somehow blacklist any IP that sends mail >> to that address for some period of time, configurable by me but not >> necessarily dynamic. (That is, if I could specify 1 day or 3 hours for any >> match, that is fine). >> I suspect that postfix might be able to do this through some sort of >> helo_access check? I mean, I know managing the timeout would be outside of >> postfix, but I can figure that part out easily enough. >> Or should I look at expanding the log matching in fail2ban instead? >> Or something obvious and clearly better? > > Adding a log match in fail2ban for the blacklisted recipient is by far the > easiest solution. Yeah, that is probably what I will do. I also looked at postfix-policyd but despite saying specifically that it supports spam trapping, I was unable to find anyway to specify the spam trap address in the conf file. -- I was good and deleted the "You *&;#$ing moron" before posting aren't you proud of me?
Re: Blacklist honeypot senders
On 5/24/2019 11:33 AM, @lbutlr wrote: I have an active email address that only receives spam (it is an address that wasn't used for years but I've recently reactive to see just how much spam an unprotected decades old account that hasn't accepted mail since 2006 would get). Anyway, what I would like to do is somehow blacklist any IP that sends mail to that address for some period of time, configurable by me but not necessarily dynamic. (That is, if I could specify 1 day or 3 hours for any match, that is fine). I suspect that postfix might be able to do this through some sort of helo_access check? I mean, I know managing the timeout would be outside of postfix, but I can figure that part out easily enough. Or should I look at expanding the log matching in fail2ban instead? Or something obvious and clearly better? Adding a log match in fail2ban for the blacklisted recipient is by far the easiest solution. Postfix doesn't have much built-in that would help this project. You would need to write a policy service or log watcher that checks for the blacklisted recipient, which would then add the offending client IP to a check_client_access blacklist table. Using *sql or lmdb for the blacklist table would eliminate the need to rebuild the table after each change. -- Noel Jones