Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I tried use the following filters, but this is no sufficient for my yet. */etc/fail2ban/filter.d/sendmail.conf* [Definition] failregex = \[<HOST>\], reject.*\.\.\. Relaying denied (User unknown)\n* \[<HOST>\] badlogin: .* \[<HOST>\] plaintext .* SASL reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi\?ip=<HOST> ignoreregex = */etc/fail2ban/filter.d/dovecot-pop3imap.conf * [Definition] failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*) With Kind Regards, Gustavo A. Lacoste Z. Curacautín - Chile Skype: knxroot Msn & Gtalk: knx.root [at] gmail.com Home page: http://www.lacosox.org - - *Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint. Lea http://www.gnu.org/philosophy/no-word-attachments.es.html* 2012/6/15 John Hinton <webmaster@xxxxxxxx> > On 6/14/2012 8:58 PM, Gustavo Lacoste wrote: > > The problem with my server is: I use it to offer webhosting services. > Some > > customers using Outlook are blocked because they use black listed ips > (ips > > simply are dynamic). > > > > > That is the same problem I am dealing with. You have to set up a dual > mailserver system with outbound set to not use the blacklist used on the > inbound server or you will block some of your good users who happen to > land on a dirty IP address from time to time. The situation is the same > with SpamAssassin or any other anti-spam system in place. > > Sendmail and Postfix work the same in this regard. And I'm still not > certain which one I like the most, after installing Postfix on our last > 4 systems. I think the logging from Sendmail is way more logical (easier > to comprehend), but maybe that is just because I have been reading those > logs for many years. > > I would still take a look at Fail2Ban. You need to be very careful with > your rules, but it is extremely flexible. You only provided about 30 > seconds from your mail log. Fail2ban will look over a much greater time > spam and activate whatever blocks you enable or write. I have written > blocks based on not passing certain spam tests, such as the Spamhaus RBL > (and yes we pay for that service). But I really didn't care for our > systems to run the repeated DNS lookups. The rule blocks them at the > firewall and over time, the number of blocks has decreased as many > spammers have just quit trying. I have rules to block spammers mining > for good email addresses (some of our domains were getting 10s of > thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and > just about every service login, with adjusted numbers of attempts and > shorter or longer times based on how the rules might adversely effect > one of our actual users. Higher security risk services with low volume > use by users, get blocked after fewer failed attempts and for much > longer times. > > FYI, Spamhaus is blocking around 90% of all our inbound emails as spam. > That number should actually be higher, but Fail2Ban does not allow a > number of messages in due to the firewall blocks, so those don't get > figured in to that total. Spamhaus is perfect in blocking IP addresses > that positively were used to send spam, but dynamic addresses do get > caught creating some false positives. > > -- > John Hinton > 877-777-1407 ext 502 > http://www.ew3d.com > Comprehensive Online Solutions > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos