Tony,

Why not use the Fail2ban construct?  It's all ready to go and uses regular expressions to ban.

CJ

On 2/22/14 10:07 PM, Tony White wrote:
Okay,
  I have finished the create and delete scripts.
Essentially the perl script monitors the current
file in the smtp directory.
  It scans the file for both "DENIED_RDNS_RESOLVE"
and "DENIED_RDNS_MISSING" constructing two files
one that creates iptables rules and the other is a file
that deletes the same rules.
  As I am using the current file can someone tell me
how often their current file is reset please? My timing
is almost 9 hours under normal circumstances.
  Using the script is done via the crontab and I will be
using 5 minute intervals. This will guarantee a rolling set
of ip addresses that have no dns entries.

  I welcome suggestions/comments from other users.
After final testing I will release the script to all QMT
users.


best wishes
  Tony White
 On 23/02/2014 05:06, cj yother wrote:
Yes, you can do this and it will reduce the load on the server.  When you're hit with a spam message that has no RDNS and they are sending hundreds or thousands to your server it will stop them after x attempts and ban them for x hours/days.  This will reduce the load on Spamdyke and in turn your server.  Like you say it might not be a lot, but it sure feels good!


On 02/22/2014 09:18 AM, Eric Shubert wrote:
On 02/22/2014 01:50 AM, Tony White wrote:
Hi folks,
   Is this a viable option please?

90% of the SPAM I am getting lately always returns
DENIED_RDNS_MISSING
or
DENIED_RDNS_RESOLVE

   In all cases the email From User is the same as the Recipient
but with prefix or postfix characters.
   Can we perhaps use this to build a script to test denied messages
and maybe the username similarity then put the ip address in the
iptables as a "drop"?


Given that this would not improve the effectiveness at all, but would only (ever so slightly) reduce the load on the server, do you think it'd be worth the effort? Is your host suffering from a heavy load?

Also, I'd be a little concerned that these spam attempts would then be more difficult to measure. They could be logged before being dropped, but then whatever mechanism that gathers spam stats would have one more thing to count.

It's not a terrible idea though. I wonder if fail2ban could be configured to count DENIED_RDNS messages for each IP address, and if there were more than a certain number of failed attempts in a given time period, then block the IP address.

I'd like to hear from anyone with more familiarity with F2B than myself about this possibility. This might be an additional F2B configuration we could include.


--



--

Reply via email to