search

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
8.71k stars 1.17k forks source link

Regex for Fail2ban to stop email address scanning #4093

Closed soulsymphonies closed 3 years ago

soulsymphonies commented 3 years ago

Summary

In the last few days, I noticed a lot of attempts of some spammers to guess email adresses on my mailcow server, the log files always look like this, except of course that the ip's change and the tested email adress as well.

I tried to create a regex for fail2ban, to ban those IPs, but I wasn't successful since I'm not very good at regex. Maybe someone could help me to come up with a regex for this, to ban these ips via fail2ban.

Thank you ever so much.

I have attached some of the logs:

09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<ckb@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<lpy@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<tcu@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<pzu@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<wxx@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<luj@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<dpf@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<xyu@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>
09.05.2021, 15:03:27 | info | NOQUEUE:  reject: RCPT from [91.191.209.148]:10172: 550 5.5.1 Protocol error;  from=<344dbvqgro7p@alloggiocasahellen.com>,  to=<ure@domain.tld>, proto=ESMTP,  helo=<[91.191.209.149]>

Motivation

What are you about to solve or improve with this idea? reducing spam What would be the benefit for most users? less spam, less load on the mailserver

andryyy commented 3 years ago

Thanks!

You need to reset to standard or add NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+ manually.

ghost commented 2 years ago

Is are REGEX still valid for stopping email address scanning?

I am wondering if someone out there has an email server and is sending spam mail to guess email address?

Got error like this (regex doesn't recognize...): NOQUEUE: reject: RCPT from mail.example.com[123.123.123.123]: 550 5.1.1 <test@test.me>: Recipient address rejected: User unknown in virtual mailbox table; from=<test-from@test.me> to=<test@test.me> proto=ESMTP helo=<mail.example.com>

Is it worth creating a REGEX like this?: NOQUEUE: reject: RCPT from .+\[([0-9a-f\.:]+)].+Recipient address rejected.+