Massive incoming spam attack

chris · May 23, 2023, 9:05pm

Hello, since some days I experience massive incoming spam attacks on all hosted domains. I block a lot of tld’s through exim config but would their be a way to just block the ip address after a few attempts sending to non-existent e-mail addresses? Now it just goes on and on throughout the day.

Thanks in advance

2023-05-23 00:10:12 H=110-25-99-34.adsl.fetnet.net [110.25.99.34] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 00:10:12 H=110-25-99-34.adsl.fetnet.net [110.25.99.34] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 00:10:12 H=110-25-99-34.adsl.fetnet.net [110.25.99.34] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 00:10:12 H=110-25-99-34.adsl.fetnet.net [110.25.99.34] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 00:10:12 H=110-25-99-34.adsl.fetnet.net [110.25.99.34] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 00:10:12 H=110-25-99-34.adsl.fetnet.net [110.25.99.34] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 22:45:23 H=(188.22.189.118.static.m1net.com.sg) [118.189.22.188] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 22:45:23 H=(188.22.189.118.static.m1net.com.sg) [118.189.22.188] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 22:45:23 H=(188.22.189.118.static.m1net.com.sg) [118.189.22.188] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 22:45:23 H=(188.22.189.118.static.m1net.com.sg) [118.189.22.188] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 22:45:23 H=(188.22.189.118.static.m1net.com.sg) [118.189.22.188] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-23 22:45:23 H=(188.22.189.118.static.m1net.com.sg) [118.189.22.188] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.

eris · May 23, 2023, 9:52pm

You are not the only one…

Update /etc/fail2ban/jail.conf

And update
[exim-iptables]

to
[exim-iptables]
enabled = true
filter = exim
action = hestia[name=MAIL]
logpath = /var/log/exim4/mainlog
maxretry = 5
bantime = 24h
findtime = 1m

chris · May 24, 2023, 7:57am

Thank you very much @eris. I updated /etc/fail2ban/jail.conf and restarted fail2ban + a server reboot but it didn’t work just yet. Any other thoughts on how to solve this?

[ssh-iptables]
enabled  = true
filter   = sshd
action   = hestia[name=SSH]
logpath  = /var/log/auth.log
maxretry = 0
# Override the default value - overwrites, does not merge. 
# Home / location a / location b
ignoreip = xx.xx.xxx.x xx.xxx.xx.xxx xx.xxx.xxx.xxx

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = hestia[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 2

[exim-iptables]
enabled = true
filter = exim
action = hestia[name=MAIL]
logpath = /var/log/exim4/mainlog
maxretry = 5
bantime = 24h
findtime = 1m

[dovecot-iptables]
enabled  = true
filter   = dovecot
action   = hestia[name=MAIL]
logpath  = /var/log/dovecot.log
maxretry = 2

[mysqld-iptables]
enabled  = false
filter   = mysqld-auth
action   = hestia[name=DB]
logpath  = /var/log/mysql/error.log
maxretry = 3

[hestia-iptables]
enabled  = true
filter   = hestia
action   = hestia[name=HESTIA]
logpath  = /var/log/hestia/auth.log
maxretry = 3

[roundcube-auth]
enabled  = false
filter   = roundcube-auth
action   = hestia[name=WEB]
logpath  = /var/log/roundcube/errors.log
maxretry = 3

[recidive]
enabled  = true
filter   = recidive
action   = hestia[name=RECIDIVE]
logpath  = /var/log/fail2ban.log
maxretry = 2
findtime = 86400
bantime  = 864000

# List of safe IP addresses
# NAME / HOME

[DEFAULT]
ignoreip = 
 xx.xx.x.xx
 xx.xxx.xx.xx
 xx.xxx.xxx.xxx

2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.
2023-05-24 09:50:26 H=([185.255.212.178]) [185.255.212.178] F=<[email protected]> rejected RCPT <[email protected]>: Your tld has been blacklisted for sending SPAM.

eris · May 24, 2023, 8:08am

I think because you blacklisted the TLD the regex in exim filter doesn’t work…

chris · May 24, 2023, 8:13am

Okey thank you i’ll disable that to see if it works. Is there a way to set an order of effect?
Btw. It also doesn’t work for incoming messages (200 attempts in a split second: literally one hundredth of a second) that are aren’t blocked by my tld list but blocked because of spamcop.net.

2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <attila@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <gde2r3d6boiu@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <elene@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <llelqn2itdtaoz0@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <t3ow7he1ka3yj@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <rvzw6f9yot27th@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <nur@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <gerrit@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <gem@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <kphe44bb83l9xai@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <the@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <nuno@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <r41d07domwhj@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <o7r3evy8xz6q@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <maximilian@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <6ecfft97xz41@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <koenig@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <gnlquznbtrwh@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <j6m08i4anaum7h@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <28f9mqp7g39z@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <johnp@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <city@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <vivien@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <kinga@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <jenifer@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <v7153ew2nq20r@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <dpufhtlg62w39@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <2y1ovskpx6hana@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <4n4j8arrmynflhe@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <a3tppc05zwdzadq@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <qlfomx6zlk4xs9os@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <78i9ydzlgolk4h1g@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <jae@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <fs9chlmc84cnn@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <kldk9h9loowyj4pp@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <cccc@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <v8gxgsair4l4@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <bwright@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <bbaker@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <gftjqtrp454rt@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <ly@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <huang@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <and@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <silke@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <mromero@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <markw@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <m8sttr0hxih6@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <jono@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <bio@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <chuknz4xfoeviap@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <more@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <yasmine@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <tscsbvctljgurdj@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <wen@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <k44ytylzcqklq0@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <ajesl0v4b5bw@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <ppp@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <e66p00djpp9s6@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <3na5nka6v0rq2@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <rozvkvaamek1t@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <inbound@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <escritorio@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <kqud3u9g59dr0@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <berry@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <acook@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <7s7o7xahibivgt@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <z3xgn1980g3zj@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <1111@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <q3i81x5oxdxzm@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <ying@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <moira@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <kenya@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <federica@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <emarketing@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <redacao@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <hamburg@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <shell@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <kyra@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <gleb@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <comp@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <charly@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <yun@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <mie@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <emailinfo@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <amorris@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <ol@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <judi@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <swati@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <solange@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <eleni@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net
2023-05-24 10:09:16 H=([130.185.96.109]) [130.185.96.109] F=<[email protected]> rejected RCPT <ea16o4txkn8bk9@MyVPS>: Rejected because 130.185.96.109 is in a black list at bl.spamcop.net

eris · May 24, 2023, 8:31am

If 200 email will come at the same time fail2ban is probably to slow.

Other option is to use ipset blacklist

The default Hestia is works reasonable for me…

chris · May 24, 2023, 11:41am

Thank you! I’ll give that a try this afternoon. I do use my own custom ipsets to block different countries and ASN’s. I also have the default blacklist enabled in my firewall. How would I create a custom ipset from the logged ip’s in exim? Kind regards

maurice · May 24, 2023, 1:47pm

Same attack here. I am using dns based blacklists and the senders of this attack are listed on that. Still, they are hammering the door multiple times a second.

I noticed that they are trying to deliver multiple messages in one smtp session.

Exim tells them they are listed on the blacklist, but then waits for the next command in the same smtp session. Better is to have exim drop that smtp session after the blacklist message. You might even consider to delay exim a bit before sending the blacklist message.

This all helps for fail2ban to eventually ban them.

in /etc/exim4/exim4.conf.template on line 168 (looking at hestiacp/exim4.conf.template at main · hestiacp/hestiacp · GitHub )
you can change the “deny” to “drop”, and after line 170, add a line that reads “delay = 8s”

chris · May 24, 2023, 1:53pm

Thank you @maurice, I just changed according to your suggestion:


  drop    message       = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
          hosts         = !+whitelist
          dnslists      = ${readfile {/etc/exim4/dnsbl.conf}{:}}
          delay         = 8s

I will see and inform here how it goes!

maurice · May 24, 2023, 3:11pm

I think that fail2ban only effects new incoming tcp connections, not existing ones. This spamrun tries to deliver numerous message in one single smtp connection, hence we need exim to drop the connection instead of denying the message.

Don’t forget to restart exim after you make changes to the config.

chris · May 25, 2023, 7:52am

Thanks again @maurice. I observed the logs since yesterday and noticed less peak attacks but there is still a continuous stream of incoming attempts. Would there also be a way to drop any attempt that is rejected because of being listed at bl.spamcop.net? Any other ideas would also be highly appreciated. Thanks!

schiwe · May 25, 2023, 3:21pm

Basically you can’t completely stop the attack. You can reduce the volume by using RBL for spam specifically like “nixspam“ as i did on my PFSense.
And if you can use anti-spam system before your panel.

maurice · May 27, 2023, 8:08pm

I don’t know if you can add a dns blacklist in the gui (webinterface) of hestia, but you can define them in the file /etc/exim4/dnsbl.conf
With the modifications you did earlier, you will actually drop any attempt that is rejected because of being listed.

system · June 26, 2023, 8:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.