Skip to content

Filters for sendmail - hackers and spammers #20

Closed
cepheid666 opened this Issue Dec 30, 2011 · 20 comments

6 participants

@cepheid666

There don't appear to be any default filters for sendmail, so I thought I'd contribute a couple. The first one is to ban people who attempt to brute-force SMTP AUTH. This doesn't work wonderfully since not all brute-force attempts can be captured by the particular regex I'm using, but it catches a few. Ideally, one would use some other method (e.g. checking saslauthd logs) which would do a better job, but this is not always possible - for example, CentOS servers default to using saslauthd via PAM, and the current CentOS-packaged version of saslauthd (in all current CentOS dists) does not properly pass the "remotehost" parameter to PAM, so the saslauthd PAM errors are useless for fail2ban monitoring. Thus, in the default configuration, the only way to use fail2ban to kick out sendmail brute-force hackers is the following. (Another alternative is to set saslauthd's syslog level to "debug," but that adds a lot of length to logfiles and is not an out-of-the-box configuration.)

The second filter is to lock out spammers who are looking for open relays. Many spammers don't bother to "test the waters" on a server to check for an open relay - they usually just attempt to flood the server with dozens, even hundreds, of spam messages, simply hoping that the server is an open relay and will pass it on, and not caring if it's not. The filter included below checks for repeated "open relay" probes and locks out the offenders who are trying to use the server as a spambot. (Of course, this works only if you've actually locked down your server and disabled relaying without auth.)

sendmail brute-force hack filter - sendmail.conf:

# Fail2Ban configuration file
#
# Author: Jamie Morrison; minor modifications by Amir Caspi
# See http://theether.net/kb/100141
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \[<HOST>\]: possible SMTP attack: command=AUTH

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

sendmail spam relay filter - sendmail-relay.conf:

# Fail2Ban configuration file
#
# Author: Amir Caspi
#
# $Revision: 1 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sm-acceptingconnections

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s\S*: ruleset=check_rcpt, arg1=\S*, relay=\S*\s*\[<HOST>\], reject=550 5.7.1 <\S*>... Relaying denied. Proper authentication required.\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

And, the relevant jail.conf settings that I happen to use are:

[sendmail]

enabled  = true
filter   = sendmail
action   = iptables-multiport[name=SENDMAIL, port="smtp,smtps,submission", protocol=tcp]
           sendmail-whois-lines[name=SENDMAIL, dest=root, sender=fail2ban@mail.com, logpath=/var/log/maillog]
logpath  = /var/log/maillog
# Once is enough for these jerks!
maxretry = 0

[sendmail-relay]

enabled  = true
filter   = sendmail-relay
action   = iptables-multiport[name=SENDMAIL, port="smtp,smtps,submission", protocol=tcp]
           sendmail-whois-lines[name=SENDMAILrelay, dest=root, sender=fail2ban@mail.com, logpath=/var/log/maillog]
logpath  = /var/log/maillog
maxretry = 4

I hope these can be added to the default set of filters, as I think they would be quite useful - many still use sendmail and this has really helped to keep my sendmail hacks down to a minimum (particularly by tarpitting the damn spammers!).

Hope this helps.

@yarikoptic
Fail2Ban member

Thanks, looks useful

Would you care just to commit and submit a pull request?
Also having a few example lines in corresponding files under unittests files directories would be great

@cepheid666

Er... I am not actually that familiar with how github works so I'd have to read up on how to even do pull requests. If needed, I can, just more work. =) I'll add some examples, too - haven't seen the unittests files before...

@yarikoptic
Fail2Ban member

If you are keen on learning GIT + GITHUB -- that would be just awesome for me (and for you since both are great resources worth knowing). And things are quite simple actually ;) just glance over help.github.com

Example files should go under testcases/files/logs
I (or anyone else) is yet to standardize them so they could serve automatic unittesting against them to reduce possibility of regressions

@leeclemens

I just started using github with this project, and they have some good tutorials available to get started. Don't need to understand too much in depth regarding git to get it working, make a few changes and create a pull request :) http://help.github.com/ is probably the best starting point

@yarikoptic
Fail2Ban member

Hi @cepheid666 -- would you mind at least to provide some sample logfiles/lines illustrating use cases for above filters? I would like to at least anchor the tail of the sendmail's failregex... also not clear why in 2nd one you used "^%(__prefix_line)s\S*:" while in first one didn't etc... examples would help

cheers

@grooverdan grooverdan referenced this issue Apr 30, 2013
Closed

Bsd #195

@grooverdan

#421 does some spam regexes. Please provide log examples and we can handle the regex.

@grooverdan

sorry, not willing to support a filter without log samples. Please reopen or a new issue when you have them.

@grooverdan grooverdan closed this Jan 13, 2014
@jserrachinha

Relay;

Feb 23 15:46:09 petermurray sm-mta[18722]: s1NFk6KT018722: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 23 15:48:25 petermurray sm-mta[18743]: s1NFmOvj018743: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 23 15:49:58 petermurray sm-mta[18756]: s1NFnvwB018756: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 23 15:58:09 petermurray sm-mta[18840]: s1NFw80E018840: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 23 16:22:15 petermurray sm-mta[19331]: s1NGMDcm019331: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 23 21:33:44 petermurray sm-mta[22200]: s1NLXf8e022200: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:44 petermurray sm-mta[22195]: s1NLXfMF022195: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:44 petermurray sm-mta[22196]: s1NLXfiY022196: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:44 petermurray sm-mta[22201]: s1NLXftr022201: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:44 petermurray sm-mta[22202]: s1NLXfcA022202: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:45 petermurray sm-mta[22203]: s1NLXi1Y022203: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:45 petermurray sm-mta[22205]: s1NLXiHS022205: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:45 petermurray sm-mta[22204]: s1NLXiVn022204: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:45 petermurray sm-mta[22206]: s1NLXigf022206: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:45 petermurray sm-mta[22207]: s1NLXiVq022207: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:47 petermurray sm-mta[22209]: s1NLXkIo022209: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:47 petermurray sm-mta[22208]: s1NLXkCf022208: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:47 petermurray sm-mta[22212]: s1NLXksP022212: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:47 petermurray sm-mta[22210]: s1NLXknf022210: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:47 petermurray sm-mta[22211]: s1NLXkMh022211: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:48 petermurray sm-mta[22214]: s1NLXleO022214: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:49 petermurray sm-mta[22213]: s1NLXl5i022213: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:33:49 petermurray sm-mta[22215]: s1NLXmpJ022215: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:09 petermurray sm-mta[22229]: s1NLa8FK022229: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:09 petermurray sm-mta[22228]: s1NLa8VY022228: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:09 petermurray sm-mta[22230]: s1NLa8lt022230: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:09 petermurray sm-mta[22231]: s1NLa8rn022231: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:09 petermurray sm-mta[22232]: s1NLa8xs022232: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:10 petermurray sm-mta[22234]: s1NLa9Ix022234: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:10 petermurray sm-mta[22233]: s1NLa9l6022233: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:10 petermurray sm-mta[22235]: s1NLa9bo022235: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:10 petermurray sm-mta[22237]: s1NLa9Eq022237: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:11 petermurray sm-mta[22236]: s1NLa9fc022236: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:12 petermurray sm-mta[22239]: s1NLaB1r022239: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:12 petermurray sm-mta[22241]: s1NLaBWX022241: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:12 petermurray sm-mta[22240]: s1NLaBhC022240: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:12 petermurray sm-mta[22243]: s1NLaBPs022243: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:12 petermurray sm-mta[22242]: s1NLaBJL022242: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:13 petermurray sm-mta[22244]: s1NLaC4Q022244: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:13 petermurray sm-mta[22246]: s1NLaDUa022246: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:13 petermurray sm-mta[22245]: s1NLaCHs022245: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:14 petermurray sm-mta[22247]: s1NLaDs7022247: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 24 07:36:11 petermurray sm-mta[21167]: s1O7aALD021167: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 24 07:37:41 petermurray sm-mta[21198]: s1O7beXS021198: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 24 07:45:35 petermurray sm-mta[21334]: s1O7jY6s021334: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
Feb 24 08:08:57 petermurray sm-mta[22141]: s1O88tgW022141: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
@jserrachinha

AUTH attack;

Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5
Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:01:43 smtp1 sm-mta[5404]: s1H01URp005404: [186.176.74.182]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:05:03 smtp1 sm-mta[5750]: s1H04x5e005750: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:08:25 smtp1 sm-mta[5751]: s1H08NIU005751: mail.dati.com.tr [212.174.252.130] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 00:15:18 smtp1 sm-mta[5864]: s1H0FGcZ005864: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:19:00 smtp1 sm-mta[5872]: s1H0IuEI005872: [103.14.20.248]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:22:27 smtp1 sm-mta[5991]: s1H0MP0q005991: static-97-161-86-188.ipcom.comunitel.net [188.86.161.97] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 00:27:08 smtp1 sm-mta[5995]: s1H0PunN005995: din-146-181-231-77.ipcom.comunitel.net [77.231.181.146] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 00:29:34 smtp1 sm-mta[5996]: s1H0TOHl005996: static-97-161-86-188.ipcom.comunitel.net [188.86.161.97] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 00:32:53 smtp1 sm-mta[6096]: s1H0WmkN006096: 105-237-97-175.access.mtnbusiness.co.za [105.237.97.175]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:40:00 smtp1 sm-mta[6125]: s1H0dmiv006125: [186.176.74.182]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:43:19 smtp1 sm-mta[6223]: s1H0hHwe006223: 13.49.77.188.dynamic.jazztel.es [188.77.49.13]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:46:56 smtp1 sm-mta[6225]: s1H0knYj006225: wsip-174-79-39-4.ph.ph.cox.net [174.79.39.4]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:50:23 smtp1 sm-mta[6226]: s1H0oLXh006226: ool-4b7ff3d2.static.optonline.net [75.127.243.210]: possible SMTP attack: command=AUTH, count=5
Feb 17 00:57:42 smtp1 sm-mta[6307]: s1H0vapQ006307: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:01:18 smtp1 sm-mta[6328]: s1H10t2i006328: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:04:30 smtp1 sm-mta[6704]: s1H14S9u006704: mail.dati.com.tr [212.174.252.130] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 01:08:05 smtp1 sm-mta[6707]: s1H183fN006707: [91.82.88.231]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:22:05 smtp1 sm-mta[6898]: s1H1M0fC006898: static.kpn.net [194.151.15.34] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 01:25:29 smtp1 sm-mta[6901]: s1H1PQJe006901: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:33:14 smtp1 sm-mta[6983]: s1H1WcHK006983: i59F79283.versanet.de [89.247.146.131]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:36:02 smtp1 sm-mta[6987]: s1H1ZwnZ006987: [103.14.20.248]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:39:24 smtp1 sm-mta[7010]: s1H1dLeq007010: s208-180-21-173.bcstcmta02.clsttx.tl.sta.suddenlink.net [208.180.21.173]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:42:57 smtp1 sm-mta[7109]: s1H1gr4I007109: 68-188-72-60.static.stls.mo.charter.com [68.188.72.60]: possible SMTP attack: command=AUTH, count=5
Feb 17 01:49:56 smtp1 sm-mta[7113]: s1H1nsUV007113: 140.pool85-52-224.static.orange.es [85.52.224.140] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 01:53:26 smtp1 sm-mta[7190]: s1H1rGVc007190: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:10:29 smtp1 sm-mta[7599]: s1H2AQAq007599: ool-6c3a94fb.static.optonline.net [108.58.148.251]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:17:43 smtp1 sm-mta[7706]: s1H2HQNa007706: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:20:49 smtp1 sm-mta[7729]: s1H2KkIN007729: 68-188-72-60.static.stls.mo.charter.com [68.188.72.60]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:24:36 smtp1 sm-mta[7828]: s1H2OUht007828: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:27:59 smtp1 sm-mta[7832]: s1H2RrnR007832: static.kpn.net [194.151.15.34] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 02:35:07 smtp1 sm-mta[7930]: s1H2Z45q007930: adsl-dyn10.91-127-66.t-com.sk [91.127.66.10]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:38:21 smtp1 sm-mta[7950]: s1H2cHWi007950: 105-237-97-175.access.mtnbusiness.co.za [105.237.97.175]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:42:08 smtp1 sm-mta[8025]: s1H2ftYu008025: [186.176.74.182]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:48:47 smtp1 sm-mta[8075]: s1H2miiS008075: s208-180-21-173.bcstcmta02.clsttx.tl.sta.suddenlink.net [208.180.21.173]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:52:31 smtp1 sm-mta[8170]: s1H2qMmU008170: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 02:55:43 smtp1 sm-mta[8173]: s1H2tff9008173: mail.dati.com.tr [212.174.252.130] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 03:12:54 smtp1 sm-mta[8700]: s1H3CoFL008700: 105-237-97-175.access.mtnbusiness.co.za [105.237.97.175]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:24:01 smtp1 sm-mta[8824]: s1H3N8C5008824: i59F79283.versanet.de [89.247.146.131]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:30:07 smtp1 sm-mta[8826]: s1H3U1Wv008826: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:33:44 smtp1 sm-mta[8939]: s1H3XfgQ008939: 68-188-72-60.static.stls.mo.charter.com [68.188.72.60]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:37:04 smtp1 sm-mta[8941]: s1H3b26K008941: ool-4b7ff3d2.static.optonline.net [75.127.243.210]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:40:29 smtp1 sm-mta[8984]: s1H3eRYA008984: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:43:56 smtp1 sm-mta[9089]: s1H3hrxo009089: ool-6c3a94fb.static.optonline.net [108.58.148.251]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:50:48 smtp1 sm-mta[9095]: s1H3oi8U009095: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5
Feb 17 03:54:18 smtp1 sm-mta[9196]: s1H3sC2s009196: 237.subnet180-250-80.speedy.telkom.net.id [180.250.80.237] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 04:08:47 smtp1 sm-mta[9623]: s1H488c9009623: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:11:40 smtp1 sm-mta[9677]: s1H4Bcl9009677: [91.82.88.231]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:18:48 smtp1 sm-mta[9730]: s1H4IfXA009730: [189.11.0.226]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:22:28 smtp1 sm-mta[9854]: s1H4MFlc009854: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:25:54 smtp1 sm-mta[9858]: s1H4Pmtl009858: static.kpn.net [194.151.15.34] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 04:29:27 smtp1 sm-mta[9861]: s1H4TNKY009861: [196.214.142.155]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:32:58 smtp1 sm-mta[9956]: s1H4WuIC009956: [203.129.196.26]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:36:42 smtp1 sm-mta[9958]: s1H4aavK009958: 189-47-132-239.dsl.telesp.net.br [189.47.132.239]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:40:16 smtp1 sm-mta[10003]: s1H4eCE2010003: [189.11.0.226]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:47:26 smtp1 sm-mta[10099]: s1H4lMZT010099: 68-188-72-60.static.stls.mo.charter.com [68.188.72.60]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:51:01 smtp1 sm-mta[10100]: s1H4ouxi010100: [103.14.20.248]: possible SMTP attack: command=AUTH, count=5
Feb 17 04:54:28 smtp1 sm-mta[10200]: s1H4sPSc010200: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:09:30 smtp1 sm-mta[10623]: s1H599HQ010623: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:12:57 smtp1 sm-mta[10723]: s1H5CtMj010723: adsl-dyn10.91-127-66.t-com.sk [91.127.66.10]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:16:44 smtp1 sm-mta[10725]: s1H5Gd7K010725: wsip-174-79-39-4.ph.ph.cox.net [174.79.39.4]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:20:28 smtp1 sm-mta[10751]: s1H5KOjx010751: [210.186.155.170]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:27:40 smtp1 sm-mta[10851]: s1H5RZY5010851: [12.236.34.135]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:34:55 smtp1 sm-mta[10961]: s1H5Yp2S010961: 105-237-97-175.access.mtnbusiness.co.za [105.237.97.175]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:38:29 smtp1 sm-mta[10975]: s1H5cQ18010975: 105-237-97-175.access.mtnbusiness.co.za [105.237.97.175]: possible SMTP attack: command=AUTH, count=5
Feb 17 05:42:00 smtp1 sm-mta[11110]: s1H5fvHu011110: mail.dati.com.tr [212.174.252.130] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 06:00:19 smtp1 sm-mta[11237]: s1H60GJi011237: 68-188-72-60.static.stls.mo.charter.com [68.188.72.60]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:03:43 smtp1 sm-mta[11644]: s1H63eIu011644: 75-130-67-30.static.kgpt.tn.charter.com [75.130.67.30] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 06:07:15 smtp1 sm-mta[11647]: s1H67Crk011647: [77.73.48.162]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:11:02 smtp1 sm-mta[11655]: s1H6AvIf011655: 189-47-132-239.dsl.telesp.net.br [189.47.132.239]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:14:26 smtp1 sm-mta[11751]: s1H6ENrW011751: ool-4b7ff3d2.static.optonline.net [75.127.243.210]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:21:30 smtp1 sm-mta[11823]: s1H6LRFX011823: s208-180-21-173.bcstcmta02.clsttx.tl.sta.suddenlink.net [208.180.21.173]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:32:02 smtp1 sm-mta[29233]: s1H6Vncw029233: [186.176.74.182]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:35:31 smtp1 sm-mta[29286]: s1H6ZRYm029286: [210.186.155.170]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:38:50 smtp1 sm-mta[29305]: s1H6clrV029305: 68-188-72-60.static.stls.mo.charter.com [68.188.72.60]: possible SMTP attack: command=AUTH, count=5
Feb 17 06:42:21 smtp1 sm-mta[29429]: s1H6gJfI029429: mail.dati.com.tr [212.174.252.130] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 06:45:57 smtp1 sm-mta[29434]: s1H6jnjt029434: static.kpn.net [194.151.15.34] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 06:49:22 smtp1 sm-mta[29437]: s1H6nH5d029437: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 07:03:06 smtp1 sm-mta[29944]: s1H732S3029944: [12.236.34.135]: possible SMTP attack: command=AUTH, count=5
Feb 17 07:09:58 smtp1 sm-mta[29954]: s1H79n2H029954: [77.73.48.162]: possible SMTP attack: command=AUTH, count=5
Feb 17 07:13:24 smtp1 sm-mta[30032]: s1H7DL9g030032: adsl-dyn10.91-127-66.t-com.sk [91.127.66.10]: possible SMTP attack: command=AUTH, count=5
Feb 17 07:20:14 smtp1 sm-mta[30058]: s1H7K8mn030058: static.kpn.net [194.151.15.34] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 07:33:32 smtp1 sm-mta[30212]: s1H7XTDd030212: 202-142-165-14.multi.net.pk [202.142.165.14] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 07:43:37 smtp1 sm-mta[30333]: s1H7hYLZ030333: s208-180-21-173.bcstcmta02.clsttx.tl.sta.suddenlink.net [208.180.21.173]: possible SMTP attack: command=AUTH, count=5
Feb 17 07:50:24 smtp1 sm-mta[30338]: s1H7oLDs030338: 68-188-72-60.static.stls.mo.charter.com [68.188.72.60]: possible SMTP attack: command=AUTH, count=5
Feb 17 07:53:44 smtp1 sm-mta[30418]: s1H7re5C030418: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 07:56:55 smtp1 sm-mta[30422]: s1H7uqIU030422: [79.136.209.183]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:00:24 smtp1 sm-mta[30444]: s1H80L3o030444: ool-4b7ff3d2.static.optonline.net [75.127.243.210]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:03:59 smtp1 sm-mta[30828]: s1H83vFS030828: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:07:22 smtp1 sm-mta[30831]: s1H87IUD030831: s208-180-21-173.bcstcmta02.clsttx.tl.sta.suddenlink.net [208.180.21.173]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:10:57 smtp1 sm-mta[30842]: s1H8AtIM030842: 13.49.77.188.dynamic.jazztel.es [188.77.49.13]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:18:00 smtp1 sm-mta[30926]: s1H8Hoc7030926: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:31:37 smtp1 sm-mta[31075]: s1H8VZwn031075: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:38:41 smtp1 sm-mta[31137]: s1H8ccQa031137: [79.136.209.183]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:45:44 smtp1 sm-mta[31243]: s1H8jgUU031243: [91.82.88.231]: possible SMTP attack: command=AUTH, count=5
Feb 17 08:49:07 smtp1 sm-mta[31245]: s1H8n5MH031245: 140.pool85-52-224.static.orange.es [85.52.224.140] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 08:56:03 smtp1 sm-mta[31324]: s1H8u0mj031324: 75-130-67-30.static.kgpt.tn.charter.com [75.130.67.30] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 08:59:38 smtp1 sm-mta[31329]: s1H8xYvF031329: 237.subnet180-250-80.speedy.telkom.net.id [180.250.80.237] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 09:10:28 smtp1 sm-mta[31739]: s1H9AQPT031739: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:14:04 smtp1 sm-mta[31826]: s1H9DxuU031826: [77.73.48.162]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:21:05 smtp1 sm-mta[31874]: s1H9L1lZ031874: 202-142-165-14.multi.net.pk [202.142.165.14] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 09:24:51 smtp1 sm-mta[31930]: s1H9OlXf031930: 237.subnet180-250-80.speedy.telkom.net.id [180.250.80.237] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 09:28:38 smtp1 sm-mta[31936]: s1H9SUbS031936: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:31:56 smtp1 sm-mta[32021]: s1H9VrJn032021: s208-180-21-173.bcstcmta02.clsttx.tl.sta.suddenlink.net [208.180.21.173]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:35:43 smtp1 sm-mta[32023]: s1H9ZedL032023: adsl-dyn10.91-127-66.t-com.sk [91.127.66.10]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:39:30 smtp1 sm-mta[32050]: s1H9d9cs032050: static.kpn.net [194.151.15.34] (may be forged): possible SMTP attack: command=AUTH, count=5
Feb 17 09:42:45 smtp1 sm-mta[32146]: s1H9ghon032146: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:46:25 smtp1 sm-mta[32149]: s1H9kNfU032149: 80.174.162.208.dyn.user.ono.com [80.174.162.208]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:50:21 smtp1 sm-mta[32152]: s1H9noTV032152: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:56:37 smtp1 sm-mta[32242]: s1H9uUfP032242: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 09:59:55 smtp1 sm-mta[32246]: s1H9xrxF032246: [203.129.196.26]: possible SMTP attack: command=AUTH, count=5
Feb 17 10:03:24 smtp1 sm-mta[32646]: s1HA3Ka5032646: wsip-174-79-39-4.ph.ph.cox.net [174.79.39.4]: possible SMTP attack: command=AUTH, count=5
Feb 17 10:13:50 smtp1 sm-mta[32733]: s1HADmBj032733: 80.174.162.208.dyn.user.ono.com [80.174.162.208]: possible SMTP attack: command=AUTH, count=5
Feb 17 10:17:20 smtp1 sm-mta[32742]: s1HAHISv032742: p578bd5ec.dip0.t-ipconnect.de [87.139.213.236]: possible SMTP attack: command=AUTH, count=5
Feb 17 10:20:42 smtp1 sm-mta[32762]: s1HAKepB032762: 80.174.162.208.dyn.user.ono.com [80.174.162.208]: possible SMTP attack: command=AUTH, count=5
Feb 17 10:27:15 smtp1 sm-mta[378]: s1HARCRk000378: rrcs-67-79-217-54.sw.biz.rr.com [67.79.217.54]: possible SMTP attack: command=AUTH, count=5
Feb 17 10:30:52 smtp1 sm-mta[379]: s1HAUld2000379: [210.186.155.170]: possible SMTP attack: command=AUTH, count=5
Feb 17 10:33:49 smtp1 sm-mta[458]: s1HAXkRl000458: cable-89-216-21-136.static.sbb.rs [89.216.21.136]: possible SMTP attack: command=AUTH, count=5
Feb 20 11:14:33 smtp1 sm-mta[644]: s1KBEUoM000644: [107.150.56.218]: possible SMTP attack: command=AUTH, count=5
Feb 20 11:14:38 smtp1 sm-mta[645]: s1KBEYjx000645: [107.150.56.218]: possible SMTP attack: command=AUTH, count=5
@cepheid666

Thanks jserrachinha, that's pretty much what I'm seeing so I guess there's no need for me to post log samples now. =) Please note, however, that my daemon name is sm-acceptingconnections, not sm-mta, so the filter should probably be modified to allow either daemon.

@grooverdan

Thanks @jserrachinha . This is really good. Is the "may be forged" messages applying to the IP or hostname? In the auth what determines the count=5 (i'm assuming a sendmail option)? regarding "ruleset=check_rcpt" can "check_rcpt" be any non-whitespace text?

@cepheid666 if you could provide a sm-acceptingconnections sample too that would be great. Include them in <pre></pre> tags please.

@grooverdan grooverdan reopened this Feb 25, 2014
@grooverdan grooverdan added this to the 0.9.0 milestone Feb 25, 2014
@grooverdan grooverdan self-assigned this Feb 25, 2014
@jserrachinha
@jserrachinha
553 5.1.8
Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist
Feb 23 08:21:11 petermurray sm-mta[7795]: s1N8LALo007795: ruleset=check_rcpt, arg1=, relay=cable190-249-193-175.une.net.co [190.249.193.175] (may be forged), reject=553 5.1.8 ... Domain of sender address pedro_fernandesn@dsldevice.lan does not exist
Feb 23 09:57:33 petermurray sm-mta[11804]: s1N9vWRA011804: ruleset=check_rcpt, arg1=, relay=[190.140.176.28], reject=553 5.1.8 ... Domain of sender address marina_fernandes@tesoreria00.sthonore.zl does not exist
Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist
Feb 23 14:39:19 petermurray sm-mta[17608]: s1NEdJCV017608: ruleset=check_rcpt, arg1=, relay=[31.185.212.100], reject=553 5.1.8 ... Domain of sender address paulo.bastos@dsldevice.lan does not exist
Feb 23 14:59:18 petermurray sm-mta[17855]: s1NExHOZ017855: ruleset=check_rcpt, arg1=, relay=1.Red-88-12-153.dynamicIP.rima-tde.net [88.12.153.1], reject=553 5.1.8 ... Domain of sender address maria@blaszka.pl does not exist
Feb 23 19:27:45 petermurray sm-mta[21154]: s1NJRiIs021154: ruleset=check_rcpt, arg1=, relay=adsl-72-50-39-169.prtc.net [72.50.39.169], reject=553 5.1.8 ... Domain of sender address anabelaalvesdd@dsldevice.lan does not exist
Feb 23 20:59:28 petermurray sm-mta[21755]: s1NKxQWR021755: ruleset=check_rcpt, arg1=, relay=dynamic-adsl-78-13-191-121.clienti.tiscali.it [78.13.191.121], reject=553 5.1.8 ... Domain of sender address paulo.bastos@dsldevice.lan does not exist
Feb 24 01:23:06 petermurray sm-mta[24229]: s1O1N5NM024229: ruleset=check_rcpt, arg1=, relay=[121.177.137.174], reject=553 5.1.8 ... Domain of sender address sergio.cruz@lg_user-PC.kornet does not exist
Feb 24 02:29:53 petermurray sm-mta[27098]: s1O2Tppa027098: ruleset=check_rcpt, arg1=, relay=247-92-162-69.static.reverse.wixnet.com.br [69.162.92.247] (may be forged), reject=553 5.1.8 ... Domain of sender address root@cloud1154.redew.info does not exist
Feb 24 02:36:42 petermurray sm-mta[27334]: s1O2afRP027334: ruleset=check_rcpt, arg1=, relay=4e56a91e.skybroadband.com [78.86.169.30], reject=553 5.1.8 ... Domain of sender address carla.costa@O2wirelessbox.lan does not exist
Feb 24 05:07:18 petermurray sm-mta[705]: s1O57HlM000705: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist
Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist
550 5.7.1
Feb 23 06:30:23 petermurray sm-mta[30953]: s1N6ULdZ030953: ruleset=check_rcpt, arg1=, relay=est-steuer.de [85.214.128.205], reject=550 5.7.1 ... Rejected: 85.214.128.205 listed at sbl-xbl.spamhaus.org
Feb 23 06:47:29 petermurray sm-mta[3492]: s1N6lS6Q003492: ruleset=check_rcpt, arg1=, relay=192-251-165-181.fibertel.com.ar [181.165.251.192] (may be forged), reject=550 5.7.1 ... Rejected: 181.165.251.192 listed at sbl-xbl.spamhaus.org
Feb 23 06:49:16 petermurray sm-mta[3556]: s1N6nFNh003556: ruleset=check_rcpt, arg1=, relay=173-28-227-66.client.mchsi.com [173.28.227.66], reject=550 5.7.1 ... Rejected: 173.28.227.66 listed at sbl-xbl.spamhaus.org
Feb 23 06:53:21 petermurray sm-mta[3729]: s1N6rKjd003729: ruleset=check_rcpt, arg1=, relay=[143.132.243.76], reject=550 5.7.1 ... Rejected: 143.132.243.76 listed at sbl-xbl.spamhaus.org
Feb 23 06:57:52 petermurray sm-mta[3888]: s1N6vmNM003888: ruleset=check_rcpt, arg1=, relay=[200.68.60.130], reject=550 5.7.1 ... Rejected: 200.68.60.130 listed at sbl-xbl.spamhaus.org
Feb 23 06:57:54 petermurray sm-mta[3889]: s1N6vrZv003889: ruleset=check_rcpt, arg1=, relay=[78.93.53.146], reject=550 5.7.1 ... Rejected: 78.93.53.146 listed at sbl-xbl.spamhaus.org
Feb 23 06:59:11 petermurray sm-mta[3938]: s1N6xBNR003938: ruleset=check_rcpt, arg1=, relay=190-92-94-50.reverse.cablecolor.hn [190.92.94.50] (may be forged), reject=550 5.7.1 ... Rejected: 190.92.94.50 listed at sbl-xbl.spamhaus.org
Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org
Feb 23 07:10:59 petermurray sm-mta[4686]: s1N7Av7r004686: ruleset=check_rcpt, arg1=, relay=adsl-mde-190-3-200-1.edatel.net.co [190.3.200.1] (may be forged), reject=550 5.7.1 ... Rejected: 190.3.200.1 listed at sbl-xbl.spamhaus.org
Feb 23 07:14:03 petermurray sm-mta[4812]: s1N7E2TI004812: ruleset=check_rcpt, arg1=, relay=aui130.internetdsl.tpnet.pl [83.18.8.130], reject=550 5.7.1 ... Rejected: 83.18.8.130 listed at sbl-xbl.spamhaus.org
Feb 23 07:15:59 petermurray sm-mta[4878]: s1N7FwhJ004878: ruleset=check_rcpt, arg1=, relay=cpc1-walt5-0-0-cust782.13-2.cable.virginm.net [82.12.211.15], reject=550 5.7.1 ... Rejected: 82.12.211.15 listed at sbl-xbl.spamhaus.org
Feb 23 07:18:25 petermurray sm-mta[4966]: s1N7IO5X004966: ruleset=check_rcpt, arg1=, relay=[84.236.133.143], reject=550 5.7.1 ... Rejected: 84.236.133.143 listed at sbl-xbl.spamhaus.org
Feb 23 07:18:40 petermurray sm-mta[4973]: s1N7Idv9004973: ruleset=check_rcpt, arg1=, relay=CPE00219b22f788-CM001e6b1858fc.cpe.net.cable.rogers.com [99.250.146.9], reject=550 5.7.1 ... Rejected: 99.250.146.9 listed at sbl-xbl.spamhaus.org
421 4.3.2
Feb 24 01:46:41 petermurray sm-mta[24418]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:43 petermurray sm-mta[24419]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:44 petermurray sm-mta[24420]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:44 petermurray sm-mta[24421]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:44 petermurray sm-mta[24423]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:45 petermurray sm-mta[24424]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:45 petermurray sm-mta[24425]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:45 petermurray sm-mta[24426]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:45 petermurray sm-mta[24427]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:45 petermurray sm-mta[24428]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:47 petermurray sm-mta[24429]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:47 petermurray sm-mta[24430]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:47 petermurray sm-mta[24431]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
Feb 24 01:46:47 petermurray sm-mta[24432]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.

I found somewhere this one;

# Fail2Ban configuration file for sendmail
#
# Author: Fabian Wenk 
#
# $Revision$
#
# Some of the below failregex will only work properly, when the following
# options are set in the .mc file (see your Sendmail documentation on how
# to modify it and generate the corresponding .cf file):
#
# FEATURE(`delay_checks')
# FEATURE(`greet_pause', `500')
# FEATURE(`ratecontrol', `nodelay', `terminate')
# FEATURE(`conncontrol', `nodelay', `terminate')
#
# ratecontrol and conncontrol also need corresponding options ClientRate:
# and ClientConn: in the access file, see documentation for ratecontrol and
# conncontrol in the sendmail/cf/README file.
#

[Definition]

# Option: failregex
# Notes.: regex to match rejected connections in the logfile.
# Values: TEXT
#
failregex = (sm-mta|sendmail)(?:\[\d+\])?: ruleset=check_relay, arg1=.*, arg2=, relay=.*, reject=421 4.3.2 Too many open connections.$
        (sm-mta|sendmail)(?:\[\d+\])?: ruleset=check_relay, arg1=.*, arg2=, relay=.*, reject=421 4.3.2 Connection rate limit exceeded.$
        (sm-mta|sendmail)(?:\[\d+\])?: .*: rejecting commands from .* \[\] due to pre-greeting traffic after \d+ seconds$
        (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=\[.*\], reject=550 5.7.1 \<.*\>... Relaying denied. IP name lookup failed \[\]$
        (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.* \[.*\] \(may be forged\), reject=550 5.7.1 \<.*\>... Relaying denied. IP name possibly forged \[\]$
        (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.* \[\], reject=550 5.7.1 \<.*\>... Relaying denied. Proper authentication required.$
        (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.*\[\].*, reject=550 5.1.1 \<.*\>... User unknown$
        (sm-mta|sendmail)(?:\[\d+\])?: .*: ruleset=check_rcpt, arg1=\<.*\>, relay=.*\[\].*, reject=553 5.1.8 \<.*\>... Domain of sender address .* does not exist$
        (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[\]: (?i)(EXPN|VRFY) .* \[rejected\]$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =  
@cepheid666

@grooverdan : Some sm-acceptingconnections examples are below. They are the same, the only thing that needs to happen is that daemon in sendmail-relay.conf needs to be modified to include sm_mta (I can't format it properly here because it keeps causing italics!).

Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
Feb 25 03:01:52 kismet sm-acceptingconnections[27716]: s1P81oJ0027716: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
Feb 25 03:01:52 kismet sm-acceptingconnections[27717]: s1P81oR2027717: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
Feb 25 03:01:52 kismet sm-acceptingconnections[27718]: s1P81pmt027718: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
Feb 25 03:01:52 kismet sm-acceptingconnections[27719]: s1P81pPd027719: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
Feb 25 03:01:52 kismet sm-acceptingconnections[27720]: s1P81pgx027720: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
Feb 23 07:23:37 kismet sm-acceptingconnections[20005]: s1NCNLrE020005: dynamic.vdc.vn [113.162.180.215] (may be forged): possible SMTP attack: command=AUTH, count=6
Feb 23 13:02:45 kismet sm-acceptingconnections[27623]: s1NI2W3w027623: host-213-74-208-58.superonline.net [213.74.208.58] (may be forged): possible SMTP attack: command=AUTH, count=6
Feb 23 16:16:48 kismet sm-acceptingconnections[32514]: s1NLGW4D032514: dynamic.vdc.vn [113.162.180.215] (may be forged): possible SMTP attack: command=AUTH, count=6
Feb 23 19:47:17 kismet sm-acceptingconnections[5165]: s1O0kx4e005165: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6
Feb 23 21:11:59 kismet sm-acceptingconnections[7170]: s1O2Blgf007170: host-213-74-208-58.superonline.net [213.74.208.58] (may be forged): possible SMTP attack: command=AUTH, count=6
Feb 24 05:13:06 kismet sm-acceptingconnections[19638]: s1OACk6b019638: 122-146-1-206.static.sparqnet.net [122.146.1.206] (may be forged): possible SMTP attack: command=AUTH, count=6
Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6
Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6
@cepheid666

Just a comment, the line in sendmail-spam that deals with dnsbl messages is VERY installation-specific, because dnsbl lines are not configured "out of the box" on most systems. I had to configure mine personally. Here are examples of my analogous failure lines:

Feb 23 04:36:21 kismet sm-acceptingconnections[12603]: s1N9aKAw012603: ruleset=check_rcpt, arg1=<user@host.com>, relay=74-137-127-206.dhcp.insightbb.com [74.137.127.206], reject=550 5.7.1 <user@host.com>... Rejected: IP in SpamCop blacklist, see: http://spamcop.net/bl.shtml?74.137.127.206
Feb 23 04:38:57 kismet sm-acceptingconnections[16772]: s1N9csSZ016772: ruleset=check_rcpt, arg1=<user@host.com>, relay=[203.229.186.250], reject=550 5.7.1 <user@host.com>... Rejected: IP in Barracuda RBL, see: http://www.barracudacentral.org/reputation?ip=203.229.186.250
Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=check_rcpt, arg1=< user@host.com>, relay=r186-54-117-93.dialup.adsl.anteldata.net.uy [186.54.117.93], reject=550 5.7.1 < user@host.com>... Rejected: IP in SpamHaus PBL, see http://www.spamhaus.org/query/bl?ip=186.54.117.93

Since the regexp you used is "Rejected: (\d+.){3}\d+\ listed at \S+)", these examples will NOT match this particular rejection message format. (The message format I used is fairly common, by the way, though still configured manually.)

I think that because of the highly variable nature of this particular failure, the regexp should either be omitted, or should be included as a template only, with a note to sysadmins that this is almost certainly going to need to be customized for their specific installation. (It would also be great if you could make my format the template. ;-) )

@grooverdan

@cepheid666 ack - fixed in 72c84fe
any new issues please open a new issue.

@cepheid666

@grooverdan don't know if you want me to open a new issue for this, but github's stupid formatting appears to have caused an error in the regexp again. The arg1= part of the line is followed by an email address in angle brackets, and that same email address in angle brackets is ALSO after the "550 5.7.1" but before the "Rejected" ...

I don't know how to make github show things in "raw" format, but the angle brackets are causing the text inside them to disappear in github. Consequently, your Rejected regexp (and possibly the others) still won't work...

How do I show you the raw logs, without githubs formatting? (Apparently stuff in pre-tags still gets formatted.)

@kwirk
Fail2Ban member
kwirk commented Feb 27, 2014

@cepheid666 I've fixed up your comment so it displays correct now. Best bet is to use backticks. If you click edit on your comment you should see the change I made.

@cepheid666

Thanks @kwirk, I've also gone back and edited my log-file samples from a couple of days ago, the same way. I was told to use pre tags, so that's what I did... guess I should have done more homework. =) @grooverdan, please take a look at the log samples now that the formatting has been fixed. thanks.

@grooverdan

Best bet is to use backticks

Ah, so now i now too.

guess I should have done more homework

me too.

please take a look at the log samples now that the formatting has been fixed. thanks.

fixed. d34569f

@yarikoptic yarikoptic added a commit to yarikoptic/fail2ban that referenced this issue Mar 19, 2014
@yarikoptic yarikoptic Merge tag '0.8.13' into debian
* tag '0.8.13': (48 commits)
  DOC: DEVELOP release note changes
  PKG: version release
  PKG: include nagios filter/log
  DOC/ENH: update man pages for release
  ENH: pull asterisk filter change to support syslog from 0.9 branch
  Sanity-check print-all-* vs print-no-* options.
  Add --print-no-{missed,ignored} and restore -all.
  Only remember log lines we need to print later.
  Fix the --print-all-{missed,ignored} options.
  ENH: sendmail-reject for all smtp ports.
  ENH: more sendmail-reject filter items thanks to fab23
  BF: move to right location
  ENH: rename sendmail-spam to sendmail-reject
  BF: email address as arg1 in sendmail filters
  ENH: wider regex for RBL and sendmail-spam
  DOC: Add reference to action argument values which contain ","
  BF: add jail.conf definitions for sendmail* filters
  ENH: add filter for sendmail-{auth,spam}. Closes gh-20
  ENH: Allow 255.255.255.0 style mask for ignoreip
  BF: Fix complain action for multiple recipients and misplaced ";"
  ...
f04bae1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.