Merge pull request #421 from grooverdan/sendmail-spam

ENH: multiline filter for sendmail-spam. Closes gh-418

ChangeLog

@@ -34,6 +34,9 @@ code-review and minor additions from Yaroslav Halchenko.
    * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug
      #410077.  Also it would now capture and include stdout and stderr
      into logging messages in case of error or at DEBUG loglevel.
+   Daniel Black and TESTOVIK
+   * Multiline filter for sendmail-spam. Close gh-418
+
 - Enhancements
   Steven Hiscocks
    * Replacing use of deprecated API (.warning, .assertEqual, etc)

THANKS

@@ -63,6 +63,7 @@ Sireyessire
 silviogarbes
 Stephen Gildea
 Steven Hiscocks
+TESTOVIK
 Tom Pike
 Tyler
 Vaclav Misek

config/filter.d/sendmail-spam.conf

@@ -0,0 +1,30 @@
+# Fail2ban filter for sendmail spam
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sendmail
+
+failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+# DEV NOTES:
+# 
+# There can be a nunber of non-related lines between the first and second part
+# of this regex maxlines of 10 is quite generious. Only one of the 
+# "No such user" lines needs to be matched before the line with the HOST.
+#
+# Note the capture __prefix, includes both the __prefix_lines (which includes
+# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID.
+#
+# Author: Daniel Black

config/jail.conf

@@ -461,6 +461,10 @@ logpath  = /var/log/postfix.log
 bantime  = 300
 
 
+[sendmail-spam]
+
+logpath  = /var/log/mail.log
+
 # dovecot defaults to logging to the mail syslog facility
 # but can be set by syslog_facility in the dovecot configuration.
 [dovecot]

fail2ban/tests/files/logs/sendmail-spam

@@ -0,0 +1,19 @@
+
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <arhipov@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anatoliy@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <artem@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anto@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
+# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]
+
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
+# Different mail ID shouldn't match
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]