> I'm assuming you don't want to let the sender know that you detected the > virus.
yep > there's no reason to block the sender for subsequent deliveries in your > firewall either, as the sender will notice that too (depending on the sender > noticing actually anything you're doing, which is questionable when it's a > spammer). When the virus attempt is sent repeatedly, it does chew server resources to be detected. clamav has to run "on it" after all. My goal is to to detect the sender IP, and block those repeat-send-receive-scan loads. > If the REJECT log message does have an ip address in the response, I suggest > start using that. That's the current problem. It's a DISCARD, not a REJECT. There's no REJECT message with IP. Just the discard notice without it. Obviously the IP address is, at some point in the transaction, correlated to that message. Need to figure out how to preserve & get at that info. > I thought f2b >= 0.9 could now do a multi-line match so you could pick up on the NOQUEUE message and the REJECT message but, at a guess, you'd need to match the process ID between the two messages to make sure the messages are connected. Saw that too. Haven't figure out yet how to make sure it gets ONLY the right, correlated 'other line'. The procID match sounds good - not sure yet if or how you can do that. > I'm not sure if this really covers your issue, but Wietse once suggested the following: Adding a header with the IP could be an option. I think I'd have to have Amavis add that header WHEN it detects/discards the virus, get that passed back to the Postfix log, and then have f2b detect it there. ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
