Script to auto add IP to firewall block?

sams2526 · May 17, 2025, 8:00am

Getting a lot of grief from russia/china where they keep hitting an invalid email address. my log rotate is getting a good cardio wortkout ATM from these clowns.

Is there a simple means to grep for access to like “[email protected]” grab IP and auto add them to block list if not there already?!

hoping i can do some cron script every half hour and such to stop this mess. I got one specific domain that is in the top million and has been as low as 340k. i block a few countries via the cdn level but they do direct access too as its trivial to get info on mx servers and such.

nu01 · May 17, 2025, 8:18am

Using ip lists to block as well? I am using those, + my own blacklists which I keep adding manually.

sams2526 · May 17, 2025, 9:07am

hoping for something simple. i do the bgp ips in web admin atm and its cumbersome

sahsanu · May 17, 2025, 10:56am

Yes, you can create a script to do that but if you don’t have customers/users from x country, you can block the entire country using ipset as @nu01 suggested.

The source to get the list of ips https://github.com/ipverse/rir-ip

1.- Create an ipset using the above repo as source, example source url for ru:

https://raw.githubusercontent.com/ipverse/rir-ip/refs/heads/master/country/ru/ipv4-aggregated.txt

2.- Once the new ipset has been added, you can create new firewall rules to DROP connections from that ipset.

More info:
how-do-i-setup-an-ipset-blacklist-or-whitelist
how-can-i-open-or-block-a-port-or-ip

sams2526 · May 17, 2025, 12:46pm

was quite simple to setup TY TY TY

sams2526 · May 24, 2025, 2:53am

Still happening - i think they must be using a large botnet of proxies or something because as soon as i block them, they redirect via another random IP.

Is there and easy way to remove all the emails sent to [email protected] from the mailq?!

nu01 · May 24, 2025, 4:03am

These ipsets are updated daily, and hestia has firewall also auto refreshing your list.
I do the same to my server. Have added around 10+ such lists and my own list of 10K+ blocks, including email spammers.
However no way to auto block as no direct way to identify/determine it as a spammer IP.

Guess only delete / expunge the mail queue/lot. Also, run a blocklist of email spammers to have them blocked at gate itself by server spamassassin kind of service.

sams2526 · May 24, 2025, 1:23pm

sent to fixed and invalid local email address.. this works:

exim -bp | grep [email protected] | sed -r ‘s/(.{10})(.{16}).*/\2/’ | xargs exim -Mrm

just replace [email protected] with w/e youre aiming at

sahsanu · May 25, 2025, 12:00am

Maybe I’m misunderstanding the problem, but if the account [email protected] doesn’t exist and example.com is a local mail domain, there shouldn’t be any messages in Exim’s mail queue. The message should be rejected during the SMTP connection.

sams2526 · May 25, 2025, 11:23am

nobody is what they were sending to (isnt an account here) and @example.com was just a privacy thing. Was actually my server hostname.

sahsanu · May 25, 2025, 4:23pm

Sorry, I don’t understand.

If example.com is your server’s hostname and you did add it in Hestia as a mail domain, then the emails should be rejected during the SMTP connection because the nobody account does not exist.

If example.com is your server’s hostname and you did not add it in Hestia as a mail domain, the emails should still be rejected because that domain is not considered a local domain managed by Exim… or I missed something.

What I don’t understand is how these emails ended up in Exim’s queue.

It would make sense if you had a catch-all account for example.com, if your mail server is misconfigured and acting as an open relay, or if someone is using valid login credentials to send those emails.

sams2526 · May 29, 2025, 2:30am

semantics aside. it was a legit issue. they stopped now.