What log file are those messages from? Are they from '/var/log/maillog'?

If so, you might look at /var/log/qmail/smtp/current to see if it offers anything you can use. On my system, spamdyke lines in that log include:

    origin_ip: 1.2.3.4

so if these attacks cause text to be written to that file -- and the signature is sufficiently distinctive -- then perhaps fail2ban could leverage that.

Angus

On 2016-07-22 19:17, Gary Gendel via spamdyke-users wrote:
Sam,

Is there a way to get spamdyke to log invalid authorizations in a
manner that fail2ban can use?  My host has been hit continuously with
brute-force attacks.  Unfortunately, the logs only have:

Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon
Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info]
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
\Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info]
FILTER_AUTH_REQUIRED
Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info]
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure
(bad username/password, vchkpw uses this to indicate SMTP access is
not allowed): verizon

They seem to have a huge list of account names to try and I've got
thousands of attempts just for today.  Unfortunately, without any IP
address in the message I can't have fail2ban automatically block
these.

Gary


_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to