Dominic Raferd wrote
> Have you considered using abuseipdb? It provides mechanisms (including
> via fail2ban) for uploading bad ips as well as for downloading, so you
> might be helping the rest of us too. I download their list 3x per day
> and apply it to incoming mail before any DNSBL lookups. It
LuKreme wrote
> On 05 Mar 2019, at 10:00, Dominic Raferd <
> dominic@.co
> > wrote:
>> Fail2ban is (as you know) a way to tackle it.
> At 1000 connections a day I don’t think fail2ban or sshguard or whatever
> is going to save you anything at all.
Oh, I was getting a lot more than 1000 per day -
Dominic Raferd wrote
> Do you have reason to think your system
> is suffering heavy load as a result, or are you concerned that some of
> the DNSBLs might block you for reaching commercial-use levels of
> lookups?
No, but the problem seems to be getting worse this past year, and I was
looking for
The reason why I even suggested this is that I don't see a lot different IP
addresses. I figured the Postfix system wouldn't need to cache that many
"bad" IP addresses. You guys obviously see differently.
My mail logs rotate at 12AM every night, this is just one IP address in 8.5
hours :
$ more /
The spam bots are not that short-lived though. I see the same IP's for weeks
on end.
It's unfortunate that there are no internal options available to handle this
issue, so I will rely on fail2ban to blacklist the offenders that fail the
DNSBL checks.
Thank you for your time.
Wietse Venema wrote
I was under the impression that Postscreen kept a cache of the IP addresses
that failed Pregreet / DNSBL tests.Then it would use those cached results to
drop clients immediately based on that previously cached results / expire
time.
What is throwing me off is this :
postscreen_dnsbl_max_ttl :
Th
Could someone update the manual for clarification then?
The manual suggests the connection will close immediately - and that's it.
As is stands now, it makes no mention that it will "Allow other tests to
complete" first.
ignore : Ignore the failure of this test. Allow other tests to complete.
en
No, the manual states "Drop the connection immediately with a 521 SMTP reply"
and that's not happening.
The 521 drop comes *after* the pregreet and DNSBL checks.
Mar 3 09:59:54 localhost postfix/dnsblog[84376]: addr 85.54.217.239 listed
by domain zen.spamhaus.org as 127.0.0.11
Mar 3 09:59:54 lo
The 521 SMTP reply only happens after checking the block lists. It's not
being dropped immediately like the manually says it should be.
-
Mar 3 09:59:54 localhost postfix/postscreen[84375]: CONNECT from
[85.54.217.239]:5089 to [xx.xx.xx.xx]:25
Mar 3 09:59:54 localhost postfix/postscreen[843
It doesn't appear that postscreen_dnsbl_action is working correctly when set
to "drop".
The manual states "Drop the connection immediately with a 521 SMTP reply" -
but that's not happening. It's still checking the block lists.
Mar 3 08:03:50 localhost postfix/postscreen[80179]: CONNECT from
[185
10 matches
Mail list logo
