Hi, I am noticing an increasing number of botnet spam attempts on my mail servers (all of which have clubringer installed, configured and in use). Now while some of them go away for a while after getting the greylisting notice, some don't, or others in the botnet pick up the "slack".
I am also using fail2ban to protect other parts of my server infrastructure, and I was wondering if anyone had come up with a fial2ban config to protect against these type of botnet attacks. Typical of what I am seeing is: Jan 7 15:10:25 localhost postfix/smtpd[24890]: connect from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115] Jan 7 15:10:26 localhost cbpolicyd[28843]: module=CheckSPF, action=none, host=189.215.53.115, helo=[189.215.53.115], [email protected], [email protected], reason=no_spf_record Jan 7 15:10:26 localhost cbpolicyd[28843]: module=Greylisting, action=defer, host=189.215.53.115, helo=[189.215.53.115], [email protected], [email protected], reason=greylisted Jan 7 15:10:26 localhost postfix/smtpd[24890]: NOQUEUE: reject: RCPT from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115]: 451 4.7.1 <[email protected]>: Recipient address rejected: Greylisting in effect, please come back later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[189.215.53.115]> Jan 7 15:10:28 localhost postfix/smtpd[24890]: lost connection after DATA from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115] Jan 7 15:10:28 localhost postfix/smtpd[24890]: disconnect from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115] Jan 7 15:10:54 localhost postfix/smtpd[19925]: connect from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115] Jan 7 15:10:55 localhost cbpolicyd[28741]: module=CheckSPF, action=none, host=189.215.53.115, helo=[189.215.53.115], [email protected], [email protected], reason=no_spf_record Jan 7 15:10:55 localhost cbpolicyd[28741]: module=Greylisting, action=defer, host=189.215.53.115, helo=[189.215.53.115], [email protected], [email protected], reason=greylisted Jan 7 15:10:55 localhost postfix/smtpd[19925]: NOQUEUE: reject: RCPT from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115]: 451 4.7.1 <[email protected]>: Recipient address rejected: Greylisting in effect, please come back later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[189.215.53.115]> Jan 7 15:10:56 localhost postfix/smtpd[19925]: lost connection after DATA from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115] Jan 7 15:10:56 localhost postfix/smtpd[19925]: disconnect from 189.215.53.115.cable.dyn.cableonline.com.mx[189.215.53.115] As you can see that is over a 60 second period. Although that extract all has the same target address, the prefix to the domain changes, so blacklisting by deliver to address is not possible. They are also keeping the connection rates within sane limits you would see from legitimate incoming mail, so that avenue of defence is not an option either. I think the best hope is for a fail2ban recipe that can detect and stop these kinds of attacks. As yet I have not found any from the fail2ban community (most of those recipes defend against this type of attack without greylisting or policyd/cluebringer in the middle - i.e. the rely on 550 undeliverable messages, which I am not producing because of the greylisting, SPF, DKIM and other checks from cluebringer). Any thoughts or solutions are greatly appreciated. -- Nikolai Lusan <[email protected]>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
