[BlueOnyx:13979] Re: ban or jail <may be forged> messages

Greg Kuhnert gkuhnert at compassnetworks.com.au
Sun Nov 3 23:33:34 -05 2013 

DFIX2 has a feature where it looks at multiple forged email messages from a single ip address, and blocks them for an hour if detected...

But as suggested here - there is a risk of false positives. Impact with the dfix2 solution: For your average mail sender, it will let the first couple of messages like this through - if they keep trying to send - it will block for one hour. In my case, it works just fine :)

Greg.

On 4 Nov 2013, at 3:20 pm, webmaster <webmaster at oldcabin.net> wrote:

> 
> 
> I have used procmail to filter on <May be forged>
> 
> It caught many many many many spams however...... it also picked off  
> some legit mail
> 
> I had to disable it.  Too many customers were complaining
> 
> I would love to implement again because it worked great!
> 
> 
> 
>>> -----Original Message-----
>>> From: blueonyx-bounces at mail.blueonyx.it
>> [mailto:blueonyx-bounces at mail.blueonyx.it] On
>>> Behalf Of wcstaff at webcoast.com
>>> Sent: Sunday, November 03, 2013 7:04 PM
>>> To: 'BlueOnyx General Mailing List'
>>> Subject: [BlueOnyx:13974] ban or jail <may be forged> messages
>>> 
>>> I know this is an arguable scenario, but I am sick of the spam getting
>>> through that is <may be forged>.
>>> It seems like spammers are figuring ways to forge and get around blocks.
>>> I have recently found IP addresses that I force blocked, skating through
>> on
>>> a <may be forged>.
>>> I read where some settings can be added to fail2ban that will reject these
>>> emails. I tried adding them and it did not help.
>>> I was also reading that Sendmail 8.4 has the feature
>>> "FEATURE(`require_rdns')dnl", than can be enable or disabled.
>>> My question is how do I turn on and off this feature? I looked in
>>> sendmail.mc and "FEATURE(`require_rdns')dnl" does not exist.
>>> Thanks
>>> Tom
>>> 
>> Upon further searching I found the following sendmail for fail2ban. I gave
>> it a try and it seems to be working. I monitored the last 10 IP addresses it
>> blocked and they were legit spammers.
>> I will monitor the setup to see how many, if any innocents get jailed or
>> banned and decide if it is worth using these settings.
>> I have already seen the spam mail drop significantly.
>> Thanks
>> Tom
>> 
>> ----------------------------------------------------------------------------
>> -----------
>> Sendmail
>> Step by step instructions for setting up fail2ban for sendmail.
>> Create the filter
>> First, create a filter file for sendmail, typically filter.d/sendmail.conf,
>> with the following content:
>> # Fail2Ban configuration file
>> #
>> # Source: http://www.the-art-of-web.com/system/fail2ban-sendmail/
>> # Contributors: Gutza, the SASL regex
>> #
>> # $Revision: 0 $
>> #
>> 
>> [Definition]
>> 
>> # Option:  failregex
>> # Notes.:  regex to match the password failures messages in the logfile. The
>> #          host must be matched by a group named "host". The tag "<HOST>"
>> can
>> #          be used for standard IP/hostname matching and is only an alias
>> for
>> #          (?:::f{4,6}:)?(?P<host>\S+)
>> # Values:  TEXT
>> #
>> 
>> failregex = \[<HOST>\] .*to MTA
>> #            \[<HOST>\] \(may be forged\)
>>             \[<HOST>\], reject.*\.\.\. Relaying denied
>>             (User unknown)\n* \[<HOST>\]
>>             badlogin: .* \[<HOST>\] plaintext .* SASL
>> 
>> # Option:  ignoreregex
>> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
>> # Values:  TEXT
>> #
>> ignoreregex =
>> 
>> You may enable the "(may be forged)" line by uncommenting it (remove the
>> hash symbol at the beginning of the line). Observe caution about that
>> particular regular expression, because it might cause bans on legitimate
>> users.
>> 
>> Define the jail
>> Now you need to tell fail2ban what to do with this filter. So edit jail.conf
>> and add the following section:
>> [sendmail]
>> enabled  = true
>> filter   = sendmail
>> action   = iptables-multiport[name=sendmail,
>> port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]
>>            sendmail-whois[name=sendmail, dest=you at example.com]
>> logpath  = /var/log/maillog
>> 
>> change you at example.com with your e-mail address.
>> ----------------------------------------------------------------------------
>> 
>> 
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list