Antonino,
What I ended up doing was configuring spamd in blacklist only mode and
using spamd simply to populate the <spamd> table in pf. From there,
instead of sending members of the <spamd> table to the spamd daemon, I
just block them outright. To stop some of the connection attempts that
have not been reported to nixspam (i.e. they're not in the <spamd>
table) I created a small, crude script to parse the maillog file for
login attempts where logins have been specifically disabled on port
25. I just have this script run every 15 minutes on a cronjob. If you
want to try this out, you'll have to do two things:
1. Add the following lines to /etc/mail/spamd.conf
all:\
:nixspam:mylist:
mylist:\
:black:\
:msg="Your address %A has been blocked indefinitely":\
:method=file:\
:file=/var/db/mylist.txt
2. Create the /var/db/mylist.txt file
3. Create the script. I put it in /usr/local/sbin/mylist-update.sh.
Then create a cron job to have the script run.
#!/bin/sh
MAILLOG=/var/log/maillog
DBFILE=/var/db/mylist.txt
TMPFILE=/tmp/mylist-ip.tmp
if [ -r $MAILLOG ]; then
cat $MAILLOG | grep AUTH | cut -d " " -f 9 | cut -d "=" -f 2 >> $DBFILE
cat $MAILLOG | grep "HELO *.*" | cut -d " " -f 9 | cut -d "=" -f 2
>> $DBFILE
# Remove duplicates
cat $DBFILE | sort -u > $TMPFILE
cat $TMPFILE > $DBFILE
fi
It's crude but effective. I've been using it for several weeks without issue.
Matt
On Fri, Sep 28, 2018 at 5:40 AM Antonino Sidoti wrote:
>
> Hi Gilles
> Therefore in my case I can remove the “reject” statement and let the packet
> filter block the IP. I don’t want the offending IP to even reach the mail
> server.
>
> Thanks for the clarification.
>
>
>
> > On 28 Sep 2018, at 7:25 pm, Gilles Chehade wrote:
> >
> >> On Fri, Sep 28, 2018 at 09:14:17AM +0000, Antonino Sidoti wrote:
> >> Hi Peter
> >>
> >
> > Hi,
> >
> >> I am using spamd.
> >>
> >> So the ???reject??? statement still logs the connection as seen in the log
> >> sample I provided. I was expecting to see a different log entry along the
> >> lines of ???source IP rejected???. The log information gives me the
> >> impression that the ???reject??? is not working.
> >>
> >> Happy to configure a table in ???pf.conf??? and block the IP that way.
> >> But then what is the point of the ???reject??? in the smtpd.conf?
> >>
> >
> > The ruleset within smtpd only cares about envelopes.
> >
> > It doesn't accept or reject clients, it accept or rejects envelopes so they
> > do or do not enter the queue for delivery.
> >
> > Gilles
> >
> >
> >
> >
> >>>> On 28 Sep 2018, at 6:56 pm, Peter N. M. Hansteen wrote:
> >>>>
> >>>> On Fri, Sep 28, 2018 at 08:30:55AM +0000, Antonino Sidoti wrote:
> >>>> table shithole file:/etc/mail/blacklist
> >>>>
> >>>> The file ???blacklist??? contain the IP addresses that I wish to block,
> >>>> one per line. I also have added a reject statement to my
> >>>> ???smtpd.conf??? like so;
> >>>>
> >>>> reject from source <shithole> for any
> >>>>
> >>>> What I notice is that it does not block the IP address and it continues
> >>>> to attempt a connection to the mail server. The IP address in question
> >>>> is showing up in ???/var/log/maillog??? like so;
> >>>>
> >>>> Sep 28 18:22:12 obsd-svr3 smtpd[68949]: b6ab24ef369520cc smtp
> >>>> event=failed-command address=185.xxx.xxx.254 host=185.xxx.xxx.254
> >>>> command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not
> >>>> supported???
> >>>>
> >>>> Any idea why the reject statement does not work?
> >>>
> >>> Well, the mail does get rejected, doesn't it?
> >>>
> >>> it's possible that a simple pf.conf with a table you block from, fed from
> >>> the file you already have would be the solution
> >>> your're looking for. Perhaps supplemented with a spamd(8) setup.
> >>>
> >>> a couple of writeups of mine that you might find useful:
> >>>
> >>> https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html
> >>> https://bsdly.blogspot.com/2013/05/keep-smiling-waste-spammers-time.html
> >>>
> >>> It's also possible that the enumerated badness from
> >>> https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html could
> >>> usefully supplement your data sources.
> >>>
> >>> All the best,
> >>> Peter
> >>>
> >>> --
> >>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> >>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> >>> "Remember to set the evil bit on all malicious network traffic"
> >>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> >>>
> >>> --
> >>> You received this mail because you are subscribed to [email protected]
> >>> To unsubscribe, send a mail to: [email protected]
> >>>
> >
> > --
> > Gilles Chehade
> >
> > https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
