[CentOS] Spam, fail2ban and centos

Thu May 10 16:47:53 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Thu, May 10, 2012 at 10:52 AM, Scott Silva <ssilva at sgvwater.com> wrote:
>>
>> I think you are over-analyzing.  The senders are distributed and shift
>> around whether you do anything defensive or not, and if you have ever
>> accepted an address, even years ago with a system like qmail that
>> accepted without checking anything, then tried to bounce bad
>> addresses, those addresses will be on some lists that are re-tried
>> forever no matter how many times you reject them now.   I haven't
>> watched this for a while but I used to be surprised that even though
>> the senders were spread over hundreds of IPs, the overall rate seemed
>> to be centrally controlled and in what would look like a dictionary
>> attack the list seemed to be sorted, at least in big chunks, across
>> the senders.
>>
> I would turn that address into a spamtrap and use it to reject on your other
> servers...

It wasn't 'an address'.  It was a dictionary attack to thousands of
user names that don't exist at a few domains.   Years ago I had used
an SME server with its stock qmail setup to receive for those domains
- up to the point where accepting/bouncing rejections became
impractical.  But by then the addresses must have gotten on some
'known good' spam list because they had been accepted at least once,
and from then on there was a steady stream of about 50k/day delivery
attempts .  For unrelated business reasons we no longer use those
domains but it went on for years and for all I know the list is still
being used.  After I switched to receiving with sendmail with all the
real users in virtusertable the rate wasn't a problem - rejects happen
very quickly with only a dbm lookup and a default reject rule.

-- 
   Les Mikesell
     lesmikesell at gmail.com