Re: [spamdyke-users] Fail2ban integration
What log file are those messages from? Are they from '/var/log/maillog'? If so, you might look at /var/log/qmail/smtp/current to see if it offers anything you can use. On my system, spamdyke lines in that log include: origin_ip: 1.2.3.4 so if these attacks cause text to be written to that file -- and the signature is sufficiently distinctive -- then perhaps fail2ban could leverage that. Angus On 2016-07-22 19:17, Gary Gendel via spamdyke-users wrote: Sam, Is there a way to get spamdyke to log invalid authorizations in a manner that fail2ban can use? My host has been hit continuously with brute-force attacks. Unfortunately, the logs only have: Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found \Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon They seem to have a huge list of account names to try and I've got thousands of attempts just for today. Unfortunately, without any IP address in the message I can't have fail2ban automatically block these. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Fail2ban integration
Sam, Is there a way to get spamdyke to log invalid authorizations in a manner that fail2ban can use? My host has been hit continuously with brute-force attacks. Unfortunately, the logs only have: Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found \Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon They seem to have a huge list of account names to try and I've got thousands of attempts just for today. Unfortunately, without any IP address in the message I can't have fail2ban automatically block these. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can't block envelope sender
Hi Sam, I just had a chance to have a go with the tests, and just as you expected it was down to the rDNS of the sender being whitelisted. I don't know how many times I'd checked, and missed seeing it :) Unfortunately I can't remember why I whitelisted it :( It belongs to an ESP. If they are sending stuff that can't pass SD's filters, it doesn't belong in anybody's mailbox. But obviously I needed to whitelist it for some reason at some point. I will have to have a think about this. But this situation inspires me to ask you to consider adding something to the wishlist: When a messages is allowed to pass as a result of being whitelisted, could there be an option to change the logging so that instead of just ALLOWED it shows ALLOWED_WL_[type] or maybe WHITELIST_[type] or something along those lines? If you can login to ms2 at the command line, you could also try running spamdyke by hand so you can see more verbose output without flooding your logs. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
