hub icon indicating copy to clipboard operation
hub copied to clipboard

Published 20 hours ago verified publisher icon crowdsecurity

Add Postfix spam messages

Open kravietz opened this issue 2 years ago • 7 comments

Detect and block persistent spammers

kravietz avatar Sep 19 '23 15:09 kravietz

@kravietz can you please provide some tests / sample logs ? see https://doc.crowdsec.net/docs/next/scenarios/create#create-our-test

buixor avatar Sep 21 '23 09:09 buixor

@buixor Sure, here are just a few recent log entries matched by this rule:

Sep 21 15:55:47 wyse1 postfix/cleanup[53368]: 9E4E52753B: milter-reject: END-OF-MESSAGE from mx.portalokazji24.pl[80.91.223.90]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mx.portalokazji.pl>
Sep 21 15:57:18 wyse1 postfix/cleanup[53368]: 3D92627522: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 15:57:21 wyse1 postfix/cleanup[53368]: 1742D27547: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 15:57:24 wyse1 postfix/cleanup[53368]: BFB2727430: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 16:05:37 wyse1 postfix/cleanup[71047]: 3F06F27539: milter-reject: END-OF-MESSAGE from mail.excellentuniversal.pl[89.46.78.130]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.excellentuniversal.pl>

kravietz avatar Sep 21 '23 15:09 kravietz

Another question any reasonyou didn't incorporate it within the current postfix-logs parser under crowdsecurity/postfix-logs ? Just wanted to know if there was anything specific.

LaurenceJJones avatar Sep 21 '23 15:09 LaurenceJJones

@LaurenceJJones No, I did it in a separate file exclusively to avoid messing up the existing parser but once you're happy with it it would absolutely make sense to keep them in one file.

kravietz avatar Sep 22 '23 08:09 kravietz

Another question any reasonyou didn't incorporate it within the current postfix-logs parser under crowdsecurity/postfix-logs ? Just wanted to know if there was anything specific.

It has been now merged into the main postfix-logs.yaml file

kravietz avatar Feb 28 '24 21:02 kravietz

Sample log for the third (SASL bruteforcing) rule:

Feb 28 13:41:10 mail postfix/smtpd[98013]: warning: unknown[114.243.105.223]: SASL PLAIN authentication failed: (reason unavailable), [email protected]

kravietz avatar Feb 28 '24 21:02 kravietz

@LaurenceJJones Does this need any further updates or change on my side?

kravietz avatar Mar 09 '24 18:03 kravietz