Fail2ban Sendmail Filters and Hacks

Ban and Disconnect Spammers Without all the Chitchat

-- PAGE UNDER CONTRUCTION --

Contents:


Overview:

I like to monitor my server logs. I get angry when I see my mailserver chatting away with hosts which are obviously spammers. I get angry over lots of things like that. Sometimes I get angry enough to actually do something about it.

fail2ban is a tool which will monitor log files and selectively act upon certain log messages if they happen often enough within a certain timeframe. I've been using it for a while to put down dictionary attacks, spammers, and other unruly behaviour. It's not perfect but it does what I need for now. If you don't know what fail2ban is, this web page is a waste of your time.

So anyway, I've been happily banning hosts with fail2ban for a while now but there's been a few issues with sendmail that I wanted to fix.
These are the issues I have dealt with either by hacking my cf file or hacking the sendmail source code itself:

- some of sendmail's log messages that I want to filter with fail2ban don't have the client's ip address
fail2ban doesn't have any mechanism to combine multiple selected log lines
When you're dealing with fast moving log files and multiple clients it's a pain to figure out which line relates to another.

- Spammers are sending to email addresses prefixed with the pipe | character. These make up a significant percentage of spam attempts lately. They are 100% spam and I want these messages rejected and their hosts banned immediately.

- I want sendmail to disconnect the client as soon as they are identified as spammers
there's no need to allow the client to repeatedly specify additional recipients as part of their dictionary attack
I have it wait a few seconds so I can ban their address before disconnecting them, preventing them from reconnecting
This required changes to the sendmail source code. Very small, tiny changes.

Part of the problem is that I use the sendmail DELAY_CHECKS feature. It would be hard to live without it, so I had to find a way to keep it.

Download:

sdm-20090930-sendmail-8.14.3-fail2ban.zip

This zip file contains a patch for sendmail 8.14.3 and example sendmail configuration files.
Be certain that you retain the tabs and spaces in any cf file because they really matter to sendmail and it can cause nasty hard to find bugs.

Install:


Back up your sendmail source directory and back up your sendmail.cf

######################################################################
######################################################################

There you will probably see short sections for

and







How to Tell if it is Working:


If you are impatient like me, you can 









Info:

Check these websites for more information:



sendmail.cf Configuration Language

sendmail rules

www.spamhaus.org/

www.emailaddressmanager.com/tips/codes.html

www.uceprotect.net

www.seanster.com/sendmail-backscatter/

denyhosts.sourceforge.net/

Sendmail Quick Reference

Characters in the local part of a mail address

related to this, see your sendmail.cf:

# operators that cannot be in local usernames (i.e., network indicators)

CO @ % !





Version History:



20090930


First public release






Created 30 September 2009




Copyright © 2009 By Sean McLaughlin All Rights Reserved.


Email: 
fail2ban@nro.ca



http://www.seanster.com/sendmail-fail2ban/


//End of File