SPAM email: qq.com

Discussion in 'Installation/Configuration' started by vaio1, Feb 22, 2012.

  1. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    Hi guys,

    I get this string from the mail logs and seems to me that something send a message to [email protected], is what I said correct?

    Code:
    Feb 14 13:47:09 mailserver amavis[25685]: (25685-20) Passed CLEAN, [59.50.129.210] [59.50.129.210] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, Message-ID: <[email protected]>, mail_id: RzYVR7GFFqxh, Hits: 1.546, size: 8319, queued_as: 7389BA23B1, 753 ms
    
    thanks
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Yes, that seems to be correct.
     
  3. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    I was under Spam attack.

    I have set up the /etc/fail2ban/jail.local in this way:

    Code:
    
    ## bantime of 3600 = 60*60 = one hour
    ## bantime of 86400 = 60*60*24 = one day
    ## bantime of 604800 = 60*60*24*7 = one week
    ## bantime of 2592000 = 60*60*24*30 = (approx) one month
    ## bantime of 31536000 = 60*60*24*365 = (approx) one year
    
    [dovecot-pop3imap]
    enabled = true
    filter = dovecot-pop3imap
    port = pop3,pop3s,imap,imaps
    logpath = /var/log/mail.log
    maxretry = 20
    findtime = 60
    bantime = 86400
    
    
    in the /etc/fail2ban/filter.d/dovecot-pop3imap.conf file I have written:

    Code:
    [Definition]
    failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconn$
    ignoreregex =
    
    and then I have restarted the fail2ban software:

    Code:
    /etc/init.d/fail2ban restart
    then I have seen the IP of the spammer in the fail2ban log software as BANNNED!

    Thanks
     

Share This Page