Been working on my anti-spam centos mailserver for a while now and thought I would share fail2ban's help. I installed fail2ban a few weeks back. It was tough to get it working properly but pretty much working now. Although it works fine for brute force, I thought I would run it pretty tough against spammers. I started with a regular mail server, my old one, that is horrendously pounded daily by spammers and has been for years. I installed centos 6 and used postfix to replace my 5.x and sendmail system. As I added some smtpd restrictions I noticed an immediate drop in spam getting through...til the next day when spam from new sources arrived. Then I would add more smtpd restrictions and the same thing happened. I get the feeling that they go for low hanging fruit and when they see that stop, they go a step higher. Eventually ran out of smtpd restrictions and still a lot getting through. I used spamassassin to tag mails, but not delete..I wanted to find out who it was and stop them, not delete them. Then I started adding rbl rejects. That too had the same effect..a day with little spam, then next day a whole new set would hit me. Then I added a ton of rbls like spamhaus, etc....Even apews. That really stopped what was getting through and my mail logs went from 30 MB a day to 5MB (this was for a one email address server, one that is seldom used at all). 5MB of rejects, rarely would one ever get through. I wanted to limit those log sizes, so with fail2ban I decided to start banning any ip that made more than 2 attempts to send mail of they were rejected by a rbl, bad helo, or non existent recipient. Bascially all the rejects that my smtpd restrictions were using. First day, much less attacks, went to less than 1MB log files. Then starting the second day and every day there after the attacks started.. Each day 1 or two IPs now send a concurrent blast to the site, just a connect but not trying to send anything..then that IP goes for sasl auth, but never sends a user/pass....then it sends an encrypted pass...then it is finally taken out by fail2ban. Also, the attacks of bad addresses have now greatly increased. I am now banning 1,000 IPs a day with fail2ban (I have it set for a 5 day ban to test it)....but each day 1,000 new ones go after it. I have logs going back 4 years (logwatch) and can definitely see that these newer ips were not used before. I think I made them mad....lol Working on adding some kind of regex to fail2ban to look for concurrent attacks. I find it rather interesting, after analyzing my spam, how it seems to fall into about 10 or 12 different formats and that is about it... I found it very interesting that as I really started rejecting that places like ovh.net suddenly cropped up pounding me. Vocus, constant contact, etc...really started going in overdrive once I had it set up. I am starting to see a real pattern to all this. I would love to see someone do a case study on spam attacks. Their system seems well honed to scale up with your defenses until they finally have to 'appear' on their real computers like the ovh.net servers, and many more hosts, and through legitimate (ha ha) spammers like vocus, constant contact, etc. Here is the logwatch from today for fail2ban and postfix if you want to see how much I get each day http://www.politicalgateway.com/postfix.txt http://www.politicalgateway.com/fail2ban.txt this is for a one email address mailserver, that never had other addresses used. It was a somewhat popular site for candidates for a few years, but has been closed down for about 3 years. Usually not one email gets through for days, spam that is. And those reports are after about 4 days of long term ip bans. My log file size is now about 1MB, down from 5MB thanks to fail2ban. Quite an experience. Going to work on consolidating all those banned ips and see if I can find a 'iptables drop' solution for most of them. Fail2ban really helps out in the number of times these bozos try to send a mail. Instead of 100 times, they get 2 off then banned. That has really helped the server out. Can't sue anyone for the can-spam act, but places like vocus.com and the like....thinking of suing them for harassment and DDoS attacks...maybe then they will stop sending me their legitimate spam.