[BlueOnyx:13975] Re: ban or jail <may be forged> messages

wcstaff at webcoast.com wcstaff at webcoast.com
Sun Nov 3 19:40:22 -05 2013 

> -----Original Message-----
> From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On
> Behalf Of wcstaff at webcoast.com
> Sent: Sunday, November 03, 2013 7:04 PM
> To: 'BlueOnyx General Mailing List'
> Subject: [BlueOnyx:13974] ban or jail <may be forged> messages
> 
> I know this is an arguable scenario, but I am sick of the spam getting
> through that is <may be forged>.
> It seems like spammers are figuring ways to forge and get around blocks.
> I have recently found IP addresses that I force blocked, skating through
on
> a <may be forged>.
> I read where some settings can be added to fail2ban that will reject these
> emails. I tried adding them and it did not help.
> I was also reading that Sendmail 8.4 has the feature
> "FEATURE(`require_rdns')dnl", than can be enable or disabled.
> My question is how do I turn on and off this feature? I looked in
> sendmail.mc and "FEATURE(`require_rdns')dnl" does not exist.
> Thanks
> Tom
> 
Upon further searching I found the following sendmail for fail2ban. I gave
it a try and it seems to be working. I monitored the last 10 IP addresses it
blocked and they were legit spammers. 
I will monitor the setup to see how many, if any innocents get jailed or
banned and decide if it is worth using these settings.
I have already seen the spam mail drop significantly.
Thanks
Tom

----------------------------------------------------------------------------
-----------
Sendmail
Step by step instructions for setting up fail2ban for sendmail. 
Create the filter
First, create a filter file for sendmail, typically filter.d/sendmail.conf,
with the following content: 
# Fail2Ban configuration file
#
# Source: http://www.the-art-of-web.com/system/fail2ban-sendmail/
# Contributors: Gutza, the SASL regex
#
# $Revision: 0 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>"
can
#          be used for standard IP/hostname matching and is only an alias
for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = \[<HOST>\] .*to MTA
#            \[<HOST>\] \(may be forged\)
            \[<HOST>\], reject.*\.\.\. Relaying denied
            (User unknown)\n* \[<HOST>\]
            badlogin: .* \[<HOST>\] plaintext .* SASL

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

You may enable the "(may be forged)" line by uncommenting it (remove the
hash symbol at the beginning of the line). Observe caution about that
particular regular expression, because it might cause bans on legitimate
users. 

Define the jail
Now you need to tell fail2ban what to do with this filter. So edit jail.conf
and add the following section: 
[sendmail]
enabled  = true
filter   = sendmail
action   = iptables-multiport[name=sendmail,
port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]
           sendmail-whois[name=sendmail, dest=you at example.com]
logpath  = /var/log/maillog

change you at example.com with your e-mail address.
----------------------------------------------------------------------------

More information about the Blueonyx mailing list