Using fail2ban, I want to ban these spammers who are sending to a spamtrap address:
Oct 27 09:04:22 si68 postfix/smtpd[3240]: NOQUEUE: reject: RCPT from unknown[117.197.114.222]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: odwsgs.com, MTA hostname: unknown[117.197.114.222] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<odwsgs.com>
Oct 27 09:08:51 si68 postfix/smtpd[32646]: NOQUEUE: reject: RCPT from unknown[182.177.131.71]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: rigplj.com, MTA hostname: unknown[182.177.131.71] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<rigplj.com>
Oct 27 12:42:09 si68 postfix/smtpd[22119]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local>
Oct 27 14:03:12 si68 postfix/smtpd[30183]: NOQUEUE: reject: RCPT from unknown[91.79.137.194]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (mchi.org); Please use DynDNS; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<ppp91-79-137-194.pppoe.mtu-net.ru>
Oct 27 22:00:28 si68 postfix/smtpd[18310]: NOQUEUE: reject: RCPT from unknown[96.31.94.71]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ipr-management-mail.com>
Oct 28 00:40:00 si68 postfix/smtpd[18319]: NOQUEUE: reject: RCPT from unknown[63.141.229.165]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<mx1.nnamedia.com>
Oct 28 04:05:14 si68 postfix/smtpd[9519]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: Your MTA is listed in too many DNSBLs; check http://www.robtex.com/rbl/70.39.119.76.html; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local>
I'm not very good at regular expressions, but I came up with this:
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap
However, when I test the above regex against the (46MB) maillog like so:
fail2ban-regex /var/log/maillog 'failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap'
The CPU goes nuts trying to process it. I figure the regex could be written more efficiently. Any suggestions?
Update: The IPs in the logfile above are only rejected for the particular transactions above. I want to completely block them. That is just a very small log excerpt. The very same spammer IPs aren't ONLY sending to spamtrap addresses, but also sending to real valid recipients, and are getting through.
In other words, I'd like to ban them the MOMENT they try the spamtrap address -- thus preventing further mails from the same IP from getting to a real person.
Found a way to use a bit less CPU with one less glob using this advice from Michael Orlitzky:
Reference: http://old.nabble.com/Re%3A-fail2ban-for-spamtraps-p28964882.html
I can't see what you are trying to accomplish. The least CPU usage you can get is to remove fail2ban and ignore the entries in the mail log. All these mails are rejected. So why care?
You consume CPU on rejecting (policyd-weight) and then on fail2ban to ban the already closed connection. Just ignore the past.
If you really need to do it you should redirect the logs. Use syslog-ng filters to create a log file only for spamtrap hits. Then use fail2ban on that tiny log file.