On Wed, 6 Mar 2019 at 03:51, Mayhem <mayhe...@gmail.com> wrote: > > LuKreme wrote > > On 05 Mar 2019, at 10:00, Dominic Raferd < > > > dominic@.co > > > > wrote: > >> Fail2ban is (as you know) a way to tackle it. > > At 1000 connections a day I don’t think fail2ban or sshguard or whatever > > is going to save you anything at all. > > Oh, I was getting a lot more than 1000 per day - just one IP address was > doing 1,000 requests every 8 hours. > > As a test only, I setup fail2ban at 3PM so that any IP that is on a DNSBL > and attempts to connect twice in a 15 min period gets a 12 hour timeout. By > 5PM, only 9 IP addresses made it on the ban list. > > Having those 9 IP addresses banned, I've only had 6 connections total from > spambots in the last 2 hours. It's an unbelievable difference. I had to send > myself test mail just to be sure the mail server was still working. > > So it's only a handful of IP's causing all the "issues".
Have you considered using abuseipdb? It provides mechanisms (including via fail2ban) for uploading bad ips as well as for downloading, so you might be helping the rest of us too. I download their list 3x per day and apply it to incoming mail before any DNSBL lookups. It doesn't pick up much, but every little helps.
