fail2ban for spamtraps
in [Postfix]
|
From: Phil Howard on 22 Jun 2010 14:30 I saw fail2ban discussed in another thread. I was wondering if anyone here have used it to block based on spamtraps. I want to set up a number of dummy users and splatter their email addresses where spammers would get at them (e.g. white on white text on web pages, etc). Then ban the IPs that try to send to N or more of those addresses, where N is relatively low, like 2.
From: Michael Orlitzky on 22 Jun 2010 16:46 On 06/22/2010 02:30 PM, Phil Howard wrote: > I saw fail2ban discussed in another thread. I was wondering if anyone > here have used it to block based on spamtraps. I want to set up a > number of dummy users and splatter their email addresses where > spammers would get at them (e.g. white on white text on web pages, > etc). Then ban the IPs that try to send to N or more of those > addresses, where N is relatively low, like 2. This doesn't do exactly what you want; it only allows one attempt on a spamtrap address. Add more regexen and increase maxretry to taste. A word of caution: don't assume that everyone browses the web using a graphical web browser. People still browse from the command line, and more importantly, screen readers for the disabled. If you're going to hide an address, make sure that there is some indication (for humans) that the address should not be contacted under any circumstances. # jail.conf [spamtrap-iptables] # Be extra mean to these hosts. The bantime is 28 days. enabled = true bantime = 2419200 findtime = 86400 maxretry = 1 filter = spamtrap action = iptables[name=spamtrap, port=smtp, protocol=tcp] logpath = /var/log/mail/mail.log # filter.d/spamtrap.conf [Definition] failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5\.1\.1 <address(a)example\.com> You will probably also need to configure the 'iptables' action, and some part of your iptables config. Snippets from mine won't help you much, but basically, I append banned addresses to a new fail2ban-<name> table, and then insert this table into my standard chain at a particular position during actionstart. (I also mail myself the output of iptables -L -n, so that I can verify that nothing has gone haywire.)
From: Phil Howard on 23 Jun 2010 10:28 On Tue, Jun 22, 2010 at 16:46, Michael Orlitzky <michael(a)orlitzky.com> wrote: > A word of caution: don't assume that everyone browses the web using a > graphical web browser. People still browse from the command line, and more > importantly, screen readers for the disabled. If you're going to hide an > address, make sure that there is some indication (for humans) that the > address should not be contacted under any circumstances. Good point. I was thinking that for these, the dummy addresses would just not be sent out. No harm of spammers are doing scans using these methods, too. So I'm thinking just output those addresses when the conditions are such that it appears to be graphical browsing, under the theory that spammers would likely be attempting to look like that, too.
From: Tom Hendrikx on 23 Jun 2010 11:21 On 23/06/10 16:28, Phil Howard wrote: > On Tue, Jun 22, 2010 at 16:46, Michael Orlitzky <michael(a)orlitzky.com> wrote: > >> A word of caution: don't assume that everyone browses the web using a >> graphical web browser. People still browse from the command line, and more >> importantly, screen readers for the disabled. If you're going to hide an >> address, make sure that there is some indication (for humans) that the >> address should not be contacted under any circumstances. > > Good point. I was thinking that for these, the dummy addresses would > just not be sent out. No harm of spammers are doing scans using these > methods, too. So I'm thinking just output those addresses when the > conditions are such that it appears to be graphical browsing, under > the theory that spammers would likely be attempting to look like that, > too. > Actually, when using a visual browser, people still can use their own colouring (again, the visually impaired). What you are suggesting is generating browser-specific output. This practise has been tried, tested, and discarded in webdesign country for some years now (we're getting OT here) as it does not work for all audiences, and in general creates an unmaintainable mess. If you want spam traps advertised, there are numerous better ways. Adding a clear ("The following e-mail address is solely targetted at catching mail abuse, do not use it for mail interaction: foobar(a)example.com") or more cryptic message ("The trapper recommends today: foobar(a)example.com") to the e-mail address will stop humans from using it, but harvesters will still pick it up. Keep in mind: automated harvesters can impersonate regular people (or browsers), but they cannot think like one. -- Regards, Tom
From: Jerry on 23 Jun 2010 11:51 On Wed, 23 Jun 2010 17:21:21 +0200 Tom Hendrikx <tom(a)whyscream.net> articulated: > Keep in mind: automated harvesters can impersonate regular people (or > browsers), but they cannot think like one. Which, in some instances, might be considered a good thing. -- Jerry ✌ postfix-user(a)seibercom.net _____________________________________________________________________ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
|
Next
|
Last
Pages: 1 2 Prev: Accept mail only from certain domains for one of many domains. Next: smtpd & soft_bounce |