mirror of https://github.com/fail2ban/fail2ban
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 lines
2.1 KiB
51 lines
2.1 KiB
# Fail2Ban filter for exim the spam rejection messages
|
|
#
|
|
# Honeypot traps are very useful for fighting spam. You just activate an email
|
|
# address on your domain that you do not intend to use at all, and that normal
|
|
# people do not risk to try for contacting you. It may be something that
|
|
# spammers often test. You can also hide the address on a web page to be picked
|
|
# by spam spiders. Or simply parse your mail logs for an invalid address
|
|
# already being frequently targeted by spammers. Enable the address and
|
|
# redirect it to the blackhole. In Exim's alias file, you would add the
|
|
# following line (assuming the address is honeypot@yourdomain.com):
|
|
#
|
|
# honeypot: :blackhole:
|
|
#
|
|
# For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
|
|
#
|
|
# To this filter use the jail.local should contain in the right jail:
|
|
#
|
|
# filter = exim-spam[honeypot=honeypot@yourdomain.com]
|
|
#
|
|
|
|
[INCLUDES]
|
|
|
|
# Read common prefixes. If any customizations available -- read them from
|
|
# exim-common.local
|
|
before = exim-common.conf
|
|
|
|
[Definition]
|
|
|
|
failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
|
|
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
|
|
^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
|
|
^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$
|
|
^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
|
|
|
|
ignoreregex =
|
|
|
|
[Init]
|
|
|
|
# Option: honeypot
|
|
# Notes.: honeypot is an email address that isn't published anywhere that a
|
|
# legitimate email sender would send email too.
|
|
# Values: email address
|
|
|
|
honeypot = trap@example.com
|
|
|
|
# DEV Notes:
|
|
# The %(host_info) defination contains a <HOST> match
|
|
#
|
|
# Author: Cyril Jaquier
|
|
# Daniel Black (rewrote with strong regexs)
|