[BlueOnyx:13978] Re: ban or jail <may be forged> messages

[webmaster]

I have used procmail to filter on <May be forged>

It caught many many many many spams however...... it also picked off  
some legit mail

I had to disable it.  Too many customers were complaining

I would love to implement again because it worked great!



>> -----Original Message-----
>> From: blueonyx-bounces at mail.blueonyx.it
> [mailto:blueonyx-bounces at mail.blueonyx.it] On
>> Behalf Of wcstaff at webcoast.com
>> Sent: Sunday, November 03, 2013 7:04 PM
>> To: 'BlueOnyx General Mailing List'
>> Subject: [BlueOnyx:13974] ban or jail <may be forged> messages
>>
>> I know this is an arguable scenario, but I am sick of the spam getting
>> through that is <may be forged>.
>> It seems like spammers are figuring ways to forge and get around blocks.
>> I have recently found IP addresses that I force blocked, skating through
> on
>> a <may be forged>.
>> I read where some settings can be added to fail2ban that will reject these
>> emails. I tried adding them and it did not help.
>> I was also reading that Sendmail 8.4 has the feature
>> "FEATURE(`require_rdns')dnl", than can be enable or disabled.
>> My question is how do I turn on and off this feature? I looked in
>> sendmail.mc and "FEATURE(`require_rdns')dnl" does not exist.
>> Thanks
>> Tom
>>
> Upon further searching I found the following sendmail for fail2ban. I gave
> it a try and it seems to be working. I monitored the last 10 IP addresses it
> blocked and they were legit spammers.
> I will monitor the setup to see how many, if any innocents get jailed or
> banned and decide if it is worth using these settings.
> I have already seen the spam mail drop significantly.
> Thanks
> Tom
>
> ----------------------------------------------------------------------------
> -----------
> Sendmail
> Step by step instructions for setting up fail2ban for sendmail.
> Create the filter
> First, create a filter file for sendmail, typically filter.d/sendmail.conf,
> with the following content:
> # Fail2Ban configuration file
> #
> # Source: http://www.the-art-of-web.com/system/fail2ban-sendmail/
> # Contributors: Gutza, the SASL regex
> #
> # $Revision: 0 $
> #
>
> [Definition]
>
> # Option:  failregex
> # Notes.:  regex to match the password failures messages in the logfile. The
> #          host must be matched by a group named "host". The tag "<HOST>"
> can
> #          be used for standard IP/hostname matching and is only an alias
> for
> #          (?:::f{4,6}:)?(?P<host>\S+)
> # Values:  TEXT
> #
>
> failregex = \[<HOST>\] .*to MTA
> #            \[<HOST>\] \(may be forged\)
>              \[<HOST>\], reject.*\.\.\. Relaying denied
>              (User unknown)\n* \[<HOST>\]
>              badlogin: .* \[<HOST>\] plaintext .* SASL
>
> # Option:  ignoreregex
> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
> # Values:  TEXT
> #
> ignoreregex =
>
> You may enable the "(may be forged)" line by uncommenting it (remove the
> hash symbol at the beginning of the line). Observe caution about that
> particular regular expression, because it might cause bans on legitimate
> users.
>
> Define the jail
> Now you need to tell fail2ban what to do with this filter. So edit jail.conf
> and add the following section:
> [sendmail]
> enabled  = true
> filter   = sendmail
> action   = iptables-multiport[name=sendmail,
> port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]
>             sendmail-whois[name=sendmail, dest=you at example.com]
> logpath  = /var/log/maillog
>
> change you at example.com with your e-mail address.
> ----------------------------------------------------------------------------
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>