SPAM email:

Discussion in 'Installation/Configuration' started by vaio1, Feb 22, 2012.

  1. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    Hi guys,

    I get this string from the mail logs and seems to me that something send a message to *, is what I said correct?

    Feb 14 13:47:09 mailserver amavis[25685]: (25685-20) Passed CLEAN, [] [] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, Message-ID: <[email protected]>, mail_id: RzYVR7GFFqxh, Hits: 1.546, size: 8319, queued_as: 7389BA23B1, 753 ms
  2. falko

    falko Super Moderator ISPConfig Developer

    Yes, that seems to be correct.
  3. vaio1

    vaio1 ISPConfig Developer ISPConfig Developer

    I was under Spam attack.

    I have set up the /etc/fail2ban/jail.local in this way:

    ## bantime of 3600 = 60*60 = one hour
    ## bantime of 86400 = 60*60*24 = one day
    ## bantime of 604800 = 60*60*24*7 = one week
    ## bantime of 2592000 = 60*60*24*30 = (approx) one month
    ## bantime of 31536000 = 60*60*24*365 = (approx) one year
    enabled = true
    filter = dovecot-pop3imap
    port = pop3,pop3s,imap,imaps
    logpath = /var/log/mail.log
    maxretry = 20
    findtime = 60
    bantime = 86400
    in the /etc/fail2ban/filter.d/dovecot-pop3imap.conf file I have written:

    failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconn$
    ignoreregex =
    and then I have restarted the fail2ban software:

    /etc/init.d/fail2ban restart
    then I have seen the IP of the spammer in the fail2ban log software as BANNNED!

  4. jivef

    jivef New Member

    Last monday, I found exactly 218 521 mail from the domain "" in the postqueue of a customer server.
    Each email adress was different, only the domain is the same.
    In 30 years of data processing, I never saw that !
    So I blocked this domain and now it's clean.

Share This Page