For weeks I have seen constant spam attacks in the logs and in fail2ban I have activated exim-spam filter but it can’t stop it, what can I do?
in the log every time they make the attack it will continue, it shows;
Rejected because xxx.xx.xx.xx is in a black list at bl.spamcop.net
Wrong tool for job. Rate limit should be set on SMTP server. Here is relevant discussion:
Doesn’t work for incoming email 
I think I should detect the repetition of "Rejected because xxx.xxx.xxx.xxx is in a black list at "
and block the IP to which there are several attempts as fail2ban already does with other things
thanks for your response
Welcome to internet 
That is good, the blaclist is working.
If you check your logs, probably you will see the same ip is rejected about 100 times in the same second and then you will see another ip with the same pattern, those are botnets and are really hard to stop. If you are seeing those ips comes from specifc countries and you have no clients from those countries, you could add an ipset for that country and create a rule to drop connections from that ipset, you could also add a blacklist ipset or create a rule using iptables to limit maximum connections per ip.
I added this rule to fail2ban exim filter to do exactly that:
^.*Rejected because <HOST> is in a black list at.*$
But as I said, the connections are from the same ip in the same second and after that, they change the ip so the rule, yes, will ban a lot of ips but those ips are not usually used again.
Let me ask you about that last one…
Do you do it about /etc/fail2ban/filter.d/exim.conf ?
Yes, in /etc/fail2ban/filter.d/exim.conf file, add it to failregex firective:
failregex = ^.*Rejected because <HOST> is in a black list at.*$
^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
<mdre-<mode>>
Thank you, thank you very much… at least now I don’t see the large number of connections and attempts to send emails.
The view of the terminal is much cleaner.
I accidentally overwrote my existing exim.conf filter 
– could one of you put the whole contents of the exim.conf file in here please? Thanks a lot!
# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf
[Definition]
# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
<mdre-<mode>>
mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$
mdre-normal =
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match flood and ddos-similar log-entries like:
# 'no host found for IP', 'no IP found for host'.
# Note this is not an authentication failures, so it may produce lots of false
# positives on misconfigured MTAs.
# Ex.:
# filter = exim[mode=aggressive]
mode = normal
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
It’s what I was looking for! Perfect, thanks!
Query to finish cleaning the terminal…
To avoid this type of repeated messages:
2023-09-14 16:17:24 H=([8.27.116.24]) [8.27.116.24] F=[email protected] temporarily rejected RCPT [email protected]: Could not complete sender verify
(I don’t hide the IP because he is a bad boy and deserves to be locked up and punished until dawn)
What should I put in the failregex?
Use this regex:
^%(pid)s %(host_info)stemporarily rejected RCPT [^@]+@\S+: (?:Could not complete sender verify)\s*$
Fantastic… with that command line plus the previous one, the terminal view is much cleaner
Thanxs
But I finished writing that and these lines appear (there were more, I cut some out)
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2023-09-15 08:47:07 H=bb219-75-28-15.singnet.com.sg [219.75.28.15] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
Anyway… they have me rotten
Use this it saves a lot of spam shit…
Keep in mind that those entries are managed by default regex included in exim.conf, not the last one you added.
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
Other option is to add a custom firewall rule to drop/reject connections if more than x connections are made in y seconds but it could cause issues with real users so those rules are a bit dangerous.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.