ArghWebWorks

I thought that Fail2Ban would work well with the spammers we’ve been getting through one of the mail servers. Basically, I wanted to keep track of who had connected to the server and was from one of the spam sources listed at spamhaus.org. I wanted to configure a firewall rule so we didn’t even have to listen to their message.

I configured it to watch the mail log and when a connection was rejected because of spamhaus.org, it would trigger. It would remember the IP for an hour and then let the spammer try again. Why an hour? Our list is currently averaging around 2500 ips, and I didn’t want it bigger than that.

This is the jail.conf entry:

[spamhaus]
enabled = true
filter = spamhaus
action = iptables[name=SPAMHAUS, port=smtp, protocol=tcp]
logpath = /var/log/maillog
findtime = 60
bantime = 3600
maxretry = 1


And the filter entry:

[Definition]
failregex = [[](?P\S*)[]] (?:did not issue|[(]may be forged[)])
failregex = (?P\S*) listed at sbl-xbl.spamhaus.org


However, here’s an intriguing question: at some point fail2ban just “stopped working.” It was like the regex didn’t match any more. Nothing obvious in the logs, et cetera. But when it stopped working, we were hammered by inbound spam. In fact, I originally thought the problem was a DOS attack. But maybe when the iptables rules expired, the spam mail servers carried on their normal mail sending ( when a mail server comes back online, send any waiting mail to it ). Maybe I’m not helping the problem and I should go back to a plain 5.7.1 reject?