[BlueOnyx:13989] Re: ban or jail <may be forged> messages

wcstaff wcstaff at webcoast.com
Tue Nov 5 14:44:31 -05 2013 

Tom <wcstaff at ...> writes:

> 
> Greg Kuhnert <gkuhnert <at> ...> writes:
> 
> > 
> > DFIX2 has a feature where it looks at multiple forged email messages 
> from a single ip address, and blocks
> > them for an hour if detected...
> > 
> > But as suggested here - there is a risk of false positives. Impact with 
> the dfix2 solution: For your average
> > mail sender, it will let the first couple of messages like this through 
-
>  if they keep trying to send - it will
> > block for one hour. In my case, it works just fine :)
> > 
> > Greg.
> > 
> > On 4 Nov 2013, at 3:20 pm, webmaster <webmaster <at> ...> wrote:
> > 
> > > 
> > > 
> > > I have used procmail to filter on <May be forged>
> > > 
> > > It caught many many many many spams however...... it also picked off  
> > > some legit mail
> > > 
> > > I had to disable it.  Too many customers were complaining
> > > 
> > > I would love to implement again because it worked great!
> > > 
> > 
> I wonder which way is better?
> I’m using fal2ban right now, with the setup from my previous post, and it 
> processed 100s overnight. 
> 90 plus of them originated from 74.117.209.x and 74.117.210.x IP 
> addresses, starting our around 5 for the last number and going all the 
way 
> to 230.
> I don’t like all the warning emails fail2ban sends. But I can disable 
that 
> once I am sure I’m not blocking too many innocents. 
> I’m not overly concerned because the ban/block lasts about 10 minutes and 
> then releases until the next 3 attempts by the offending IP.
> I like that temp ban feature, in case it does block a valid IP address.
> So far it's doing exactly what I need it to do with no issues so far.  
> Thanks
> Tom
> 
I wanted to do a follow up on my fail2ban settings. After 72+ hours of 
running the sendmail mods for fail2ban, I find it is working flawlessly. 
After 3 attempts of <may be forged>, as well as other sendmail scenarios, 
it bans the IP address for 6 minutes. Then it releases it. If the same <may 
be forged> sender exceeds the count again, it bans again. The only thing I 
don't like is when fail2ban releases an IP that is getting around the spam 
settings, spam mail gets through on that IP. But the good thing is I can 
look at the log or sort the email that is sent and manually block the 
repeated offenders. 
So far, as I mentioned earlier, 70 plus percent of the <may be forged> spam 
is coming from 74.117.209.x and 74.117.210.x. 
Thanks
Tom

More information about the Blueonyx mailing list