Loading ...
Sorry, an error occurred while loading the content.

Fw: [SPAM] Someone is harassing my smtp.

Expand Messages
  • Andreas.B
    ... From: Marko Weber To: Olivier Pavilla Cc: Postfix Users Sent:
    Message 1 of 1 , Apr 24, 2012
    • 0 Attachment
      ----- Original Message -----
      From: "Marko Weber" <weber@...>
      To: "Olivier Pavilla" <olivier.pavilla@...>
      Cc: "Postfix Users" <postfix-users@...>
      Sent: Monday, April 23, 2012 11:45 AM
      Subject: Re: [SPAM] Someone is harassing my smtp.


      >
      >
      > Am 23.04.2012 06:50, schrieb Olivier Pavilla:
      >> Hi everyone.
      >>
      >> For several months my smtp is harassing by someone located in Taiwan.
      >> This people is using any taiwanese IP.
      >> My logs are ful with this something like this:
      >>
      >> Apr 23 06:35:31 corellia postfix/smtpd[26906]: NOQUEUE: reject: RCPT
      >> from unknown[113.116.186.27]: 554 5.7.1 <wabj1@...>: Recipient
      >> address rejected: Relay access denied; from=<ptye@...>
      >> to=<wabj1@...> proto=ESMTP helo=<zyh-4b482e797ce>
      >> Apr 23 06:35:31 corellia postfix/smtpd[26906]: warning: restriction
      >> `reject_unauth_destination' after `check_relay_domains' is ignored
      >
      > hello,
      >
      >
      > inetnum: 113.112.0.0 - 113.119.255.255
      > netname: CHINANET-GD
      > descr: CHINANET Guangdong province network
      > descr: Data Communication Division
      > descr: China Telecom
      > country: CN
      >
      > i get on whois. so its china not taiwain ?
      >
      >
      >
      >
      >
      >>
      >> At least blocking all of Taiwanese IPs. Does anyone has idea to counter
      >> strike this people?
      >
      > yes maybe,
      >
      > stevan bajic showd me some ffective way to do this with fail2ban.
      > You can use "fail2ban" on Postfix, its just some modification:
      >
      > In /etc/fail2ban/jail.conf do this:
      >
      > [postfix-attack]
      > enabled = true
      > filter = yourdomain-postfix-attack
      > action = iptables-multiport[name=Postfix-Attacks,
      > port="smtp,ssmtp", protocol=tcp]
      > logpath = /var/log/messages
      > ignoreip = 127.0.0.1 xx.xxx.xxx.xxx/32
      > bantime = 240
      > maxretry = 3
      >
      >
      >
      > In /etc/fail2ban/filter.d/yourdomain-postfix-attack.conf do this:
      >
      > # Fail2Ban configuration file
      > #
      > # Author: Stevan Bajic <stevan@...>
      > #
      > # $Revision: 1 $
      > #
      >
      > [Definition]
      >
      > # Option: failregex
      > # Notes.: regex to match various bad conditions for Postfix in the
      > logfile. The
      > # host must be matched by a group named "host". The tag "<HOST>"
      > can
      > # be used for standard IP/hostname matching and is only an alias
      > for
      > # (?:::f{4,6}:)?(?P<host>\S+)
      > # Values: TEXT
      > #
      > failregex =
      > postfix/smtpd\[\d+\]:\s+warning:\s+Connection\s+rate\s+limit\s+exceeded:\s+[^\[]+\[<HOST>\]\s+for\s+service\s+smtp$
      >
      > postfix/smtpd\[\d+\]:\s+(NOQUEUE:\s+)?reject:\s+(RCPT|HELO|EHLO|MAIL)\s+from\s+[^\[]+\[<HOST>\]:\s+(55[034]\s+|450\s+.*Client\s+host\s+rejected:\s+cannot\s+find\s+your\s+reverse\s+hostname|451\s+(4\.3\.5\s+)?Server\s+configuration\s+error\;\s+from=<.*>\s+to=<.*>\s+proto=.*\s+e?helo=<.*>\s*$|(55[04]|421)\s+[^:]+:\s+Recipient\s+address\s+rejected:\s+)
      >
      > postfix/smtpd\[\d+\]:\s+lost\s+connection\s+after\s+\w\s+from\s+[^\[]+\[<HOST>\]$
      >
      > postfix/smtpd\[\d+\]:\s+warning:\s+<HOST>:\s+hostname[^\s]+\s+verification\s+failed:\s+No\s+address\s+associated\s+with\s+hostname$
      >
      > postfix/smtpd\[\d+\]:\s+lost\s+connection\s+after\s+DATA\s+\(0\s+bytes\)\s+from\s+[^\[]*\[<HOST>\]$
      >
      > postfix/smtpd\[\d+\]:\s+too\s+many\s+errors\s+after\s+RCPT\s+from\s+[^\[]*\[<HOST>\]$
      >
      > # Option: ignoreregex
      > # Notes.: regex to ignore. If this regex matches, the line is ignored.
      > # Values: TEXT
      > #
      > ignoreregex =
      >
      >
      >
      > you have to modify maybe the logpath in the above jail.conf by "logpath".
      >
      >
      > Further, you can use "sqlgrey" or any other greylisting i think.
      > Maybe u have a look on "sqlgrey".
      >
      >
      > U can also use POSTSCREEN at the begin of the chain. Postscreen is very
      > good documented on postifx.org and well here in the list.
      >
      > hope this helps you out a bit.
      >
      >
      > greetz from hamburg
      >
      > marko
      >
      >
      >
      >
      >
      >>
      >> --
      >> Olivier Pavilla
      >> http://www.linux-squad.com
      >> "Les fautes d'orthographes de mes propos sont sous licence Ane bâté 1.0"
      >
      >

      Tell me about you're not alone for being swamped by this fools. Once upon
      time i ban ip ranges from china, taiwan, romania, czech and brazil. It will
      decrease the abuse with about 50% but nor anything i would recommend though.
      A more prudent way to get rid of some of this in an early stage is to turn
      on reject_unkown_client, and what I've done for a while and it is really
      effective. A word of caution due it can cause problems to your clients.

      Andreas
    Your message has been successfully submitted and would be delivered to recipients shortly.