使用fail2ban,我想禁止那些发送垃圾邮件地址的垃圾邮件发送者:
Oct 27 09:04:22 si68 postfix/smtpd[3240]: NOQUEUE: reject: RCPT from unknown[117.197.114.222]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: odwsgs.com, MTA hostname: unknown[117.197.114.222] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<odwsgs.com> Oct 27 09:08:51 si68 postfix/smtpd[32646]: NOQUEUE: reject: RCPT from unknown[182.177.131.71]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: rigplj.com, MTA hostname: unknown[182.177.131.71] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<rigplj.com> Oct 27 12:42:09 si68 postfix/smtpd[22119]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local> Oct 27 14:03:12 si68 postfix/smtpd[30183]: NOQUEUE: reject: RCPT from unknown[91.79.137.194]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (mchi.org); Please use DynDNS; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<ppp91-79-137-194.pppoe.mtu-net.ru> Oct 27 22:00:28 si68 postfix/smtpd[18310]: NOQUEUE: reject: RCPT from unknown[96.31.94.71]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ipr-management-mail.com> Oct 28 00:40:00 si68 postfix/smtpd[18319]: NOQUEUE: reject: RCPT from unknown[63.141.229.165]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<mx1.nnamedia.com> Oct 28 04:05:14 si68 postfix/smtpd[9519]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: Your MTA is listed in too many DNSBLs; check http://www.robtex.com/rbl/70.39.119.76.html; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local> 我不擅长正则expression式,但是我想出了这个:
[Definition] failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap
但是,当我testing上面的(46MB)maillog这样的正则expression式:
fail2ban-regex /var/log/maillog 'failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap'
CPU坚持试图处理它。 我认为正则expression式可以写得更有效率。 有什么build议么?
更新 :上面的日志文件中的IP只被上面的特定事务拒绝。 我想完全阻止他们。 这只是一个非常小的日志摘录。 非常相同的垃圾邮件IP不只是发送到垃圾邮件地址,而且还发送到真正有效的收件人,并正在通过。
换句话说,我想禁止他们尝试垃圾邮件地址,因此阻止来自同一个IP的更多邮件到达真实的人。
用Michael Orlitzky的build议,find一种方法来使用less一点CPU的CPU:
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5\.1\.1 <spamtrap@example\.com>
参考: http : //old.nabble.com/Re%3A-fail2ban-for-spamtraps-p28964882.html
我看不出你想要完成什么。 您可以获得最less的CPU使用率是删除fail2ban并忽略邮件日志中的条目。 所有这些邮件都被拒绝了。 那为什么要关心?
您在拒绝(policyd-weight)时使用CPU,然后在fail2ban上禁用已closures的连接。 只是忽略过去。
如果你真的需要这样做,你应该redirect日志。 使用syslog-ngfilter仅为垃圾邮件点击创build日志文件。 然后在这个微小的日志文件上使用fail2ban。