# Fail2Ban filter for exim the spam rejection messages # # Honeypot traps are very useful for fighting spam. You just activate an email # address on your domain that you do not intend to use at all, and that normal # people do not risk to try for contacting you. It may be something that # spammers often test. You can also hide the address on a web page to be picked # by spam spiders. Or simply parse your mail logs for an invalid address # already being frequently targeted by spammers. Enable the address and # redirect it to the blackhole. In Exim's alias file, you would add the # following line (assuming the address is honeypot@yourdomain.com): # # honeypot: :blackhole: # # For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used. # # To this filter use the jail.local should contain in the right jail: # # filter = exim-spam[honeypot=honeypot@yourdomain.com] # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # exim-common.local before = exim-common.conf [Definition] failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$ ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$ ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[\]\) for $ ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[\]\) for \S+$ ignoreregex = [Init] # Option: honeypot # Notes.: honeypot is an email address that isn't published anywhere that a # legitimate email sender would send email too. # Values: email address honeypot = trap@example.com # DEV Notes: # The %(host_info) definition contains a match # # Author: Cyril Jaquier # Daniel Black (rewrote with strong regexs)