2013-11-07 21:55:45 +00:00
|
|
|
# Fail2ban filter for sendmail spam
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
[INCLUDES]
|
|
|
|
|
|
|
|
|
|
# Read common prefixes. If any customizations available -- read them from
|
|
|
|
|
# common.local
|
|
|
|
|
before = common.conf
|
|
|
|
|
|
|
|
|
|
[Definition]
|
|
|
|
|
|
|
|
|
|
_daemon = sendmail
|
|
|
|
|
|
2013-11-07 23:54:10 +00:00
|
|
|
failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
|
2013-11-07 21:55:45 +00:00
|
|
|
|
|
|
|
|
[Init]
|
|
|
|
|
|
|
|
|
|
# "maxlines" is number of log lines to buffer for multi-line regex searches
|
|
|
|
|
maxlines = 10
|
|
|
|
|
|
2013-11-07 23:54:10 +00:00
|
|
|
# DEV NOTES:
|
|
|
|
|
#
|
|
|
|
|
# There can be a nunber of non-related lines between the first and second part
|
|
|
|
|
# of this regex maxlines of 10 is quite generious. Only one of the
|
|
|
|
|
# "No such user" lines needs to be matched before the line with the HOST.
|
|
|
|
|
#
|
|
|
|
|
# Note the capture __prefix, includes both the __prefix_lines (which includes
|
|
|
|
|
# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID.
|
|
|
|
|
#
|
|
|
|
|
# Author: Daniel Black
|
