Blacklisting senders to unknown users?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Blacklisting senders to unknown users?

@lbutlr
Recently I have been getting hundreds, if not thousands, or failed  
connections similar to this:

Jun 13 21:01:51 mail postfix/smtpd[53476]: NOQUEUE: reject: RCPT from  
unknown[66.96.80.58]: 550 5.1.1 <[hidden email]
 >: Recipient address rejected: User unknown; from=<[hidden email]
 > to=<[hidden email]> proto=ESMTP  
helo=<win6.hivelocity.net>

Jun 13 21:01:51 mail postfix/smtpd[53476]: NOQUEUE: reject: RCPT from  
unknown[66.96.80.58]: 550 5.1.1 <[hidden email]
 >: Recipient address rejected: User unknown; from=<[hidden email]
 > to=<[hidden email]> proto=ESMTP  
helo=<win6.hivelocity.net>

Jun 13 21:04:08 mail postfix/smtpd[53489]: NOQUEUE: reject: RCPT from  
nb-206.win.net[216.24.27.206]: 550 5.1.1 <shellacsz8@*munged*>:  
Recipient address rejected: User unknown; from=<[hidden email]>  
to=<shellacsz8@*munged*> proto=ESMTP helo=<nb-206.win.net>


of course they all fail, but there are so many of these that they  
sometimes make it very difficult to find the lines in the logs that I  
want.

Is there someway to, say, ban or blacklist an IP address for x amount  
of time after a certain number of failed attempts? Specifically if  
there are numerous User Unknown rejections? Yesterday I had a total of  
2364 of these, and that was a slow day.  Yeah, I know that's nothing  
compared to some people, but still.

Also, if anyone has a method of trapping these message-id looking  
attempts and blacklisting those senders after something like 2  
attempts, that would be great too. Something as simple as any username  
with more than one - in it would work for me.


--
You may be anti anti-spam-kook if: Despite having invented the
        FUSSP you not only don't know the difference between the SMTP
        envelope and SMTP headers; you doubt there is such a thing as
        the SMTP envelop because email doesn't involve paper.

Reply | Threaded
Open this post in threaded view
|

Re: Blacklisting senders to unknown users?

Sahil Tandon
LuKreme <[hidden email]> wrote:

> Recently I have been getting hundreds, if not thousands, or failed
> connections similar to this:
>
> Jun 13 21:01:51 mail postfix/smtpd[53476]: NOQUEUE: reject: RCPT from
> unknown[66.96.80.58]: 550 5.1.1
> <[hidden email]>: Recipient address
> rejected: User unknown; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP
> helo=<win6.hivelocity.net>

[...]

> of course they all fail, but there are so many of these that they sometimes
> make it very difficult to find the lines in the logs that I want.

Use grep's invert match (-v) to remove these lines when looking for the lines
you want.
         
> Is there someway to, say, ban or blacklist an IP address for x amount of
> time after a certain number of failed attempts? Specifically if there are
> numerous User Unknown rejections? Yesterday I had a total of 2364 of these,
> and that was a slow day.  Yeah, I know that's nothing compared to some
> people, but still.

You could write a log-analyzer that looks for a few instances from any given
address and updates a map for rejecting those client IPs.  However, in both
cases you would be rejecting at SMTP time and just changing the reason, so it
seems unnecessary.

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisting senders to unknown users?

Noel Jones-2
Sahil Tandon wrote:

> LuKreme <[hidden email]> wrote:
>
>> Recently I have been getting hundreds, if not thousands, or failed
>> connections similar to this:
>>
>> Jun 13 21:01:51 mail postfix/smtpd[53476]: NOQUEUE: reject: RCPT from
>> unknown[66.96.80.58]: 550 5.1.1
>> <[hidden email]>: Recipient address
>> rejected: User unknown; from=<[hidden email]>
>> to=<[hidden email]> proto=ESMTP
>> helo=<win6.hivelocity.net>
>
> [...]
>
>> of course they all fail, but there are so many of these that they sometimes
>> make it very difficult to find the lines in the logs that I want.
>
> Use grep's invert match (-v) to remove these lines when looking for the lines
> you want.
>          
>> Is there someway to, say, ban or blacklist an IP address for x amount of
>> time after a certain number of failed attempts? Specifically if there are
>> numerous User Unknown rejections? Yesterday I had a total of 2364 of these,
>> and that was a slow day.  Yeah, I know that's nothing compared to some
>> people, but still.
>
> You could write a log-analyzer that looks for a few instances from any given
> address and updates a map for rejecting those client IPs.  However, in both
> cases you would be rejecting at SMTP time and just changing the reason, so it
> seems unnecessary.
>

fail2ban can be configured to do this.

You can also set smtpd_hard_error_limit to a fairly low value
(3~5) to disconnect clients who make too many errors.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisting senders to unknown users?

@lbutlr
On 14-Jun-2008, at 16:36, Noel Jones wrote:
> You can also set smtpd_hard_error_limit to a fairly low value (3~5)  
> to disconnect clients who make too many errors


That sounds promising.

--
and I lift my glass to the Awful Truth / which you can't reveal to
        the Ears of Youth / except to say it isn't worth a dime

Reply | Threaded
Open this post in threaded view
|

Re: Blacklisting senders to unknown users?

Sahil Tandon
LuKreme <[hidden email]> wrote:

> On 14-Jun-2008, at 16:36, Noel Jones wrote:
>> You can also set smtpd_hard_error_limit to a fairly low value (3~5) to
>> disconnect clients who make too many errors
>
> That sounds promising.

It is.  But understand the consequences of this and other measures that slow
down Postfix.  If you have not already, read:  
 
http://www.postfix.org/TUNING_README.html#slowdown

--
Sahil Tandon <[hidden email]>