OT: log spam

Angel craem at craem.net
Tue Jun 15 21:03:13 IST 2010 

Thanks!!!

Good RBL Filter -


Ángel Elena



El mar, 15-06-2010 a las 15:36 +1000, Anthony Giggins escribió:
> > should have debugged.  action = iptables[name=spam, port=smtp,
> > protocol=tcp]
> >
> > Marc Lucke wrote:
> >> for anyone interested who uses fail2ban:
> >>
> >> # cat filter.d/spam.conf
> >> failregex = Message .* from <HOST> .* is spam
> >> ignoreregex =
> >> # tail -n 8 jail.conf
> >> [spam]
> >> enabled = true
> >> filter = spam
> >> maxretry = 1
> >> bantime  = 3600
> >> action = iptables-multiport[name=spam port="smtp", protocol=tcp]
> >>           sendmail-whois[name=spam, dest=root, sender=root]
> >> logpath = /var/log/maillog
> >>
> >> works a treat :)  Thanks John!  I was getting too complicated.
> 
> Has anyone got a known working fail2ban config for dovecot Auth failures?
> 
> /etc/fail2ban/filter.d/dovecot.conf
> [INCLUDES]
> before = common.conf
> [Definition]
> _daemon = dovecot
> failregex = dovecot.*authentication failure.*rhost\=<HOST>
> ignoreregex =
> 
> It seems to pass fail2ban-regex
> 
> ie. /usr/bin/fail2ban-regex /var/log/secure.1
> /etc/fail2ban/filter.d/dovecot.conf
> 
> Running tests
> =============
> 
> Use regex file : /etc/fail2ban/filter.d/dovecot.conf
> Use log file   : /var/log/secure.1
> 
> 
> Results
> =======
> 
> Failregex
> |- Regular expressions:
> |  [1] dovecot.*authentication failure.*rhost\=<HOST>
> |
> `- Number of matches:
>    [1] 32 match(es)
> 
> Ignoreregex
> |- Regular expressions:
> |
> `- Number of matches:
> 
> Summary
> =======
> 
> Addresses found:
> [1]
>     66.207.197.12 (Mon Jun 07 21:31:33 2010)
>     66.207.197.12 (Mon Jun 07 21:31:33 2010)
>     66.207.197.12 (Mon Jun 07 21:31:33 2010)
>     66.207.197.12 (Mon Jun 07 21:31:33 2010)
>     66.207.197.12 (Mon Jun 07 21:31:34 2010)
>     66.207.197.12 (Mon Jun 07 21:31:34 2010)
>     66.207.197.12 (Mon Jun 07 21:31:34 2010)
>     66.207.197.12 (Mon Jun 07 21:31:34 2010)
>     66.207.197.12 (Mon Jun 07 21:31:34 2010)
>     66.207.197.12 (Mon Jun 07 21:31:34 2010)
>     41.196.251.149 (Tue Jun 08 12:11:43 2010)
>     41.196.251.149 (Tue Jun 08 12:11:43 2010)
>     41.196.251.149 (Tue Jun 08 12:11:44 2010)
>     41.196.251.149 (Tue Jun 08 12:11:44 2010)
>     41.196.251.149 (Tue Jun 08 12:11:44 2010)
>     41.196.251.149 (Tue Jun 08 12:11:44 2010)
>     41.196.251.149 (Tue Jun 08 12:11:44 2010)
>     41.196.251.149 (Tue Jun 08 12:11:44 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     41.196.251.149 (Tue Jun 08 12:11:45 2010)
>     60.8.11.54 (Tue Jun 08 17:23:06 2010)
>     60.8.11.54 (Tue Jun 08 17:23:07 2010)
>     60.8.11.54 (Tue Jun 08 17:23:08 2010)
> 
> Date template hits:
> 132 hit(s): Month Day Hour:Minute:Second
> 0 hit(s): Weekday Month Day Hour:Minute:Second Year
> 0 hit(s): Weekday Month Day Hour:Minute:Second
> 0 hit(s): Year/Month/Day Hour:Minute:Second
> 0 hit(s): Day/Month/Year:Hour:Minute:Second
> 0 hit(s): Year-Month-Day Hour:Minute:Second
> 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
> 0 hit(s): TAI64N
> 0 hit(s): Epoch
> 
> Success, the total number of match is 32
> 
> However, look at the above section 'Running tests' which could contain
> important
> information.
> 
> 
> 
> but I've never seen it block anything :(
> 
> Cheers
> 
> Anthony
> 
>

More information about the MailScanner mailing list