If the earlytalker filter actually blocks a connection, you should see a "DENIED_EARLYTALKER" message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection.
-- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater <sh...@apexia.ca> wrote: > Hi, > I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been > successfully using spamdyke along with fail2ban to block IPs with the > following characteristics: > Missing RNDS and RDNS containing IP address. > > In the maillog files I see the following: > Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 > rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy > Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: > birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 > origin_rdns: r186-52-196-7.dialup.adsl.an > Aug 24 04:15:07 server spamdyke[23813]: FILTER_RDNS_MISSING ip: 117.207.23.39 > Aug 24 04:15:07 server spamdyke[23813]: DENIED_RDNS_MISSING from: > 73a8...@enerdeco.nl to: u...@domain.com origin_ip: 117.207.23.39 origin_rdns: > (unknown) auth: (unknown) > Aug 24 04:21:33 apexia spamdyke[25574]: FILTER_EARLYTALKER delay: 5 > Aug 24 04:21:33 apexia /var/qmail/bin/relaylock[25582]: > /var/qmail/bin/relaylock: mail from 101.208.35.161:51645 (not defined) > > My fail2ban configuration file contains: > [Definition] > failregex = spamdyke.+: DENIED_RDNS_MISSING from:.+origin_ip: <HOST> > spamdyke.+: DENIED_IP_IN_CC_RDNS from:.+origin_ip: <HOST> > spamdyke.+: FILTER_EARLYTALKER delay: 5.+from <HOST> <--not > working > ignoreregex = > > My issue is I now want to start banning IPs that set off the > FILTER_EARLYTALKER filter but as there is no corresponding DENIED_EARLYTALKER > from: x...@yyy.com to u...@domain.com origin_ip: 111.222.333.444 I cannot > figure out the proper failregex expression to match the exising format for > FILTER_EARLYTALKER nor do I know how to change spamdyke to show a familiar > DENIED_EARLYTALKER ... heading in the maillog which I could determine the > proper failregex for. If anyone can provide me with some suggestions that > would be appreciated. > > Regards, > Shane Bywater > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users