Hi all I am getting a lot of DDOS on smtp connection logs:
@400000004dc390330ffb50f4 CHKUSER accepted sender: from <[email protected]::> remote <demagnify:unknown:173.212.197.14> rcpt <> : sender accepted @400000004dc390340c9e201c CHKUSER rejected rcpt: from <[email protected]::> remote <demagnify:unknown:173.212.197.14> rcpt <[email protected]> : invalid rcpt MX domain .. @400000004dc3905511aba4bc CHKUSER accepted sender: from <[email protected]::> remote <byte:unknown:173.212.197.14> rcpt <> : sender accepted @400000004dc390562cb394a4 CHKUSER rejected relaying: from <[email protected]::> remote <byte:unknown:173.212.197.14> rcpt < [email protected]> : client not allowed to relay I need to block this using fail2ban but the regex is quite complex. I have tried this: "<HOST>\> rcpt \S+ : client not allowed to relay$" But it doesn't seam to be working as expected: fail2ban-regex /var/log/qmail/smtp/current "<HOST>\> rcpt \S+ : client not allowed to relay" ... Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 1184 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Any help would be very appreciated Thanks!
