----- Original Message -----
From: "Marko Weber" <we...@zackbummfertig.de>
To: "Olivier Pavilla" <olivier.pavi...@linux-squad.com>
Cc: "Postfix Users" <postfix-users@postfix.org>
Sent: Monday, April 23, 2012 11:45 AM
Subject: Re: [SPAM] Someone is harassing my smtp.
Am 23.04.2012 06:50, schrieb Olivier Pavilla:
Hi everyone.
For several months my smtp is harassing by someone located in Taiwan.
This people is using any taiwanese IP.
My logs are ful with this something like this:
Apr 23 06:35:31 corellia postfix/smtpd[26906]: NOQUEUE: reject: RCPT
from unknown[113.116.186.27]: 554 5.7.1 <wa...@163.com>: Recipient
address rejected: Relay access denied; from=<p...@dumpsize.com>
to=<wa...@163.com> proto=ESMTP helo=<zyh-4b482e797ce>
Apr 23 06:35:31 corellia postfix/smtpd[26906]: warning: restriction
`reject_unauth_destination' after `check_relay_domains' is ignored
hello,
inetnum: 113.112.0.0 - 113.119.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
i get on whois. so its china not taiwain ?
At least blocking all of Taiwanese IPs. Does anyone has idea to counter
strike this people?
yes maybe,
stevan bajic showd me some ffective way to do this with fail2ban.
You can use "fail2ban" on Postfix, its just some modification:
In /etc/fail2ban/jail.conf do this:
[postfix-attack]
enabled = true
filter = yourdomain-postfix-attack
action = iptables-multiport[name=Postfix-Attacks,
port="smtp,ssmtp", protocol=tcp]
logpath = /var/log/messages
ignoreip = 127.0.0.1 xx.xxx.xxx.xxx/32
bantime = 240
maxretry = 3
In /etc/fail2ban/filter.d/yourdomain-postfix-attack.conf do this:
# Fail2Ban configuration file
#
# Author: Stevan Bajic <ste...@bajic.ch>
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match various bad conditions for Postfix in the
logfile. The
# host must be matched by a group named "host". The tag "<HOST>"
can
# be used for standard IP/hostname matching and is only an alias
for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex =
postfix/smtpd\[\d+\]:\s+warning:\s+Connection\s+rate\s+limit\s+exceeded:\s+[^\[]+\[<HOST>\]\s+for\s+service\s+smtp$
postfix/smtpd\[\d+\]:\s+(NOQUEUE:\s+)?reject:\s+(RCPT|HELO|EHLO|MAIL)\s+from\s+[^\[]+\[<HOST>\]:\s+(55[034]\s+|450\s+.*Client\s+host\s+rejected:\s+cannot\s+find\s+your\s+reverse\s+hostname|451\s+(4\.3\.5\s+)?Server\s+configuration\s+error\;\s+from=<.*>\s+to=<.*>\s+proto=.*\s+e?helo=<.*>\s*$|(55[04]|421)\s+[^:]+:\s+Recipient\s+address\s+rejected:\s+)
postfix/smtpd\[\d+\]:\s+lost\s+connection\s+after\s+\w\s+from\s+[^\[]+\[<HOST>\]$
postfix/smtpd\[\d+\]:\s+warning:\s+<HOST>:\s+hostname[^\s]+\s+verification\s+failed:\s+No\s+address\s+associated\s+with\s+hostname$
postfix/smtpd\[\d+\]:\s+lost\s+connection\s+after\s+DATA\s+\(0\s+bytes\)\s+from\s+[^\[]*\[<HOST>\]$
postfix/smtpd\[\d+\]:\s+too\s+many\s+errors\s+after\s+RCPT\s+from\s+[^\[]*\[<HOST>\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
you have to modify maybe the logpath in the above jail.conf by "logpath".
Further, you can use "sqlgrey" or any other greylisting i think.
Maybe u have a look on "sqlgrey".
U can also use POSTSCREEN at the begin of the chain. Postscreen is very
good documented on postifx.org and well here in the list.
hope this helps you out a bit.
greetz from hamburg
marko
--
Olivier Pavilla
http://www.linux-squad.com
"Les fautes d'orthographes de mes propos sont sous licence Ane bâté 1.0"
Tell me about you're not alone for being swamped by this fools. Once upon
time i ban ip ranges from china, taiwan, romania, czech and brazil. It will
decrease the abuse with about 50% but nor anything i would recommend though.
A more prudent way to get rid of some of this in an early stage is to turn
on reject_unkown_client, and what I've done for a while and it is really
effective. A word of caution due it can cause problems to your clients.
Andreas
