[BlueOnyx:13984] Re: ban or jail <may be forged> messages

[Tom]

Greg Kuhnert <gkuhnert at ...> writes:

> 
> DFIX2 has a feature where it looks at multiple forged email messages 
from a single ip address, and blocks
> them for an hour if detected...
> 
> But as suggested here - there is a risk of false positives. Impact with 
the dfix2 solution: For your average
> mail sender, it will let the first couple of messages like this through -
 if they keep trying to send - it will
> block for one hour. In my case, it works just fine :)
> 
> Greg.
> 
> On 4 Nov 2013, at 3:20 pm, webmaster <webmaster at ...> wrote:
> 
> > 
> > 
> > I have used procmail to filter on <May be forged>
> > 
> > It caught many many many many spams however...... it also picked off  
> > some legit mail
> > 
> > I had to disable it.  Too many customers were complaining
> > 
> > I would love to implement again because it worked great!
> > 
> 
I wonder which way is better?
I’m using fal2ban right now, with the setup from my previous post, and it 
processed 100s overnight. 
90 plus of them originated from 74.117.209.x and 74.117.210.x IP 
addresses, starting our around 5 for the last number and going all the way 
to 230.
I don’t like all the warning emails fail2ban sends. But I can disable that 
once I am sure I’m not blocking too many innocents. 
I’m not overly concerned because the ban/block lasts about 10 minutes and 
then releases until the next 3 attempts by the offending IP.
I like that temp ban feature, in case it does block a valid IP address.
So far it's doing exactly what I need it to do with no issues so far.  
Thanks
Tom