Thanks Michael,

> On Apr 11, 2018, at 3:13 PM, Michael Stauber <mstau...@blueonyx.it> wrote:
> 
> There are several AM components that monitor the components of the
> AV-SPAM (and Sendmail) and fire them up again if they are failing.
> Between AV-SPAM 6.3.0-1 (that you have) and the current 6.3.2-1 that
> mechanism also saw a few more improvements and it already works much
> better.
> 
> So it might help if you upgrade to the latest version.

I will consider this.

> 
>> Clearing the AV-SPAM database helps for a couple days, at the 
>> expense of losing all the learned rules… Not liking that.
>> 
>> Any suggestions?
> 
> There are a couple of other ways. Here is what I do. I have a cronjob
> which (about once a week) does this:
> 
> whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net
> 103.103.232.23 | grep origin: | cut -d ' ' -f 6 | head -1) | grep -w
> "route:" | awk '{print $NF}' |sort -n > /etc/apf/glob_deny.rules
> 
> However: This is run on a 5209R, where "whois" supports the "-T"
> parameter. On EL6 it doesn’t.

Pretty cool.

> Another option: In the AV-SPAM in the "GeoIP"-Tab tick the checkbox
> "Block Blacklist entirely" and if you're adventurous also tick "Block
> Blacklist with APF" and make sure to have "CN" ticked under "Blacklist”.

Alas, that is pretty much how my GeoIP looks. Only Asia countries allowed are 
Israel and Cyprus. APF isn’t installed on this box, so that option is not 
available. I’m assuming a China attack, as the IPs in Failed logins are all 
China (from ssh attacks). Maybe I’m looking in the wrong room. Seems 
counter-intuitive to me that these ssh attacks would kill SMTP.

Thanks for the suggestions, and anything else you can think of.

Jeff



_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to