[CentOS] Spam, fail2ban and centos

Wed May 9 16:07:06 UTC 2012
Bob Hoffman <bob at bobhoffman.com>

Been working on my anti-spam centos mailserver for a while now and 
thought I would share fail2ban's help.

I installed fail2ban a few weeks back. It was tough to get it working 
properly but pretty much working now.
Although it works fine for brute force, I thought I would run it pretty 
tough against spammers.

I started with a regular mail server, my old one, that is horrendously 
pounded daily by spammers and has been for years.
I installed centos 6 and used postfix to replace my 5.x and sendmail system.

As I added some smtpd restrictions I noticed an immediate drop in spam 
getting through...til the next day when spam
from new sources arrived.
Then I would add more smtpd restrictions and the same thing happened.

I get the feeling that they go for low hanging fruit and when they see 
that stop, they go a step higher.
Eventually ran out of smtpd restrictions and still a lot getting through.
I used spamassassin to tag mails, but not delete..I wanted to find out 
who it was and stop them, not delete them.

Then I started adding rbl rejects.
That too had the same effect..a day with little spam, then next day a 
whole new set would hit me.
Then I added a ton of rbls like spamhaus, etc....Even apews.

That really stopped what was getting through and my mail logs went from 
30 MB a day to 5MB
(this was for a one email address server, one that is seldom used at all).
5MB of rejects, rarely would one ever get through.

I wanted to limit those log sizes, so with fail2ban I decided to start 
banning any ip that made more than 2 attempts
to send mail of they were rejected by a rbl, bad helo, or non existent 
recipient. Bascially all the rejects that my
smtpd restrictions were using.

First day, much less attacks, went to less than 1MB log files.
Then starting the second day and every day there after the attacks started..

Each day 1 or two IPs now send a concurrent blast to the site, just a 
connect but not trying to send anything..then that IP
goes for sasl auth, but never sends a user/pass....then it sends an 
encrypted pass...then it is finally taken out by fail2ban.

Also, the attacks of bad addresses have now greatly increased. I am now 
banning 1,000 IPs a day with fail2ban (I have it set for a 5 day ban to 
test it)....but each day 1,000 new ones go after it.

I have logs going back 4 years (logwatch) and can definitely see that 
these newer ips were not used before.

I think I made them mad....lol

Working on adding some kind of regex to fail2ban to look for concurrent 
attacks.

I find it rather interesting, after analyzing my spam, how it seems to 
fall into about 10 or 12 different formats and that is about it...

I found it very interesting that as I really started rejecting that 
places like ovh.net suddenly cropped up pounding me.
Vocus, constant contact, etc...really started going in overdrive once I 
had it set up.

I am starting to see a real pattern to all this.

I would love to see someone do a case study on spam attacks. Their 
system seems well honed to scale up with your defenses until they 
finally have to 'appear' on their real computers like the ovh.net 
servers, and many more hosts,
and through legitimate (ha ha) spammers like vocus, constant contact, etc.

Here is the logwatch from today for fail2ban and postfix if you want to 
see how much I get each day
http://www.politicalgateway.com/postfix.txt
http://www.politicalgateway.com/fail2ban.txt

this is for a one email address mailserver, that never had other 
addresses used. It was a somewhat popular site
for candidates for a few years, but has been closed down for about 3 years.

Usually not one email gets through for days, spam that is.
And those reports are after about 4 days of long term ip bans.

My log file size is now about 1MB, down from 5MB thanks to fail2ban.

Quite an experience.
Going to work on consolidating all those banned ips and see if I can 
find a 'iptables drop' solution for most of them.


Fail2ban really helps out in the number of times these bozos try to send 
a mail. Instead of 100 times, they get 2 off then banned.
That has really helped the server out.

Can't sue anyone for the can-spam act, but places like vocus.com and the 
like....thinking of suing them
for harassment and DDoS attacks...maybe then they will stop sending me 
their legitimate spam.