Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Postfix spam messages #830

Open
wants to merge 229 commits into
base: master
Choose a base branch
from
Open

Add Postfix spam messages #830

wants to merge 229 commits into from

Conversation

kravietz
Copy link

Detect and block persistent spammers

@kravietz
Add Postfix spam messages
0413fc6 
Detect and block persistent spammers
@buixor
Copy link
Contributor

buixor commented Sep 21, 2023

@kravietz can you please provide some tests / sample logs ? see https://doc.crowdsec.net/docs/next/scenarios/create#create-our-test

@kravietz
Copy link
Author

@buixor Sure, here are just a few recent log entries matched by this rule:

Sep 21 15:55:47 wyse1 postfix/cleanup[53368]: 9E4E52753B: milter-reject: END-OF-MESSAGE from mx.portalokazji24.pl[80.91.223.90]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mx.portalokazji.pl>
Sep 21 15:57:18 wyse1 postfix/cleanup[53368]: 3D92627522: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 15:57:21 wyse1 postfix/cleanup[53368]: 1742D27547: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 15:57:24 wyse1 postfix/cleanup[53368]: BFB2727430: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 16:05:37 wyse1 postfix/cleanup[71047]: 3F06F27539: milter-reject: END-OF-MESSAGE from mail.excellentuniversal.pl[89.46.78.130]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.excellentuniversal.pl>

@LaurenceJJones
Copy link
Contributor

Another question any reasonyou didn't incorporate it within the current postfix-logs parser under crowdsecurity/postfix-logs ? Just wanted to know if there was anything specific.

@kravietz
Copy link
Author

@LaurenceJJones No, I did it in a separate file exclusively to avoid messing up the existing parser but once you're happy with it it would absolutely make sense to keep them in one file.

@kravietz
Detect Postfix SASL bruteforcing
d65e16b 
Capture attempts to brute force Postfix SASL authentication bruteforcing

```
Feb 28 13:41:10 mail postfix/smtpd[98013]: warning: unknown[114.243.105.223]: SASL PLAIN authentication failed: (reason unavailable), [email protected]
```
@kravietz
Detect Postfix SASL bruteforcing
e08c402 
Capture attempts to brute force Postfix SASL authentication bruteforcing

```
Feb 28 13:41:10 mail postfix/smtpd[98013]: warning: unknown[114.243.105.223]: SASL PLAIN authentication failed: (reason unavailable), [email protected]
```
@kravietz
Merge branch 'master' of github.com:kravietz/hub
b39c2af
@kravietz
Move parser to main Postfix file
3a0b5db
@kravietz
Copy link
Author

Another question any reasonyou didn't incorporate it within the current postfix-logs parser under crowdsecurity/postfix-logs ? Just wanted to know if there was anything specific.

It has been now merged into the main postfix-logs.yaml file

@kravietz
Copy link
Author

Sample log for the third (SASL bruteforcing) rule:

Feb 28 13:41:10 mail postfix/smtpd[98013]: warning: unknown[114.243.105.223]: SASL PLAIN authentication failed: (reason unavailable), [email protected]

@actions-user
Update blockers meta
2ba3df1
@actions-user
Update blockers meta
1d29276
@actions-user
Update blockers meta
8fcb65e
@actions-user
Update blockers meta
9f7e86e
@actions-user
Update blockers meta
c95baf3
@actions-user
Update blockers meta
992e401
@actions-user
Update blockers meta
dd0935e
@actions-user
Update blockers meta
7ca8935
@actions-user
Update blockers meta
a871cda
@actions-user
Update blockers meta
ce374a6
@actions-user
Update blockers meta
3513aa2
@actions-user
Update blockers meta
fc01d1f
@actions-user
Update blockers meta
e9aefd6
@actions-user
Update blockers meta
9dc0b10
@actions-user
Update blockers meta
b3f8f82
@actions-user
Update blockers meta
aae8ad4
@actions-user
Update blockers meta
1cc76ae
@actions-user
Update blockers meta
abff32e
@actions-user
Update blockers meta
7f92c6e
@actions-user
Update blockers meta
e05f3f7
@actions-user
Update blockers meta
33595ef
@actions-user
Update blockers meta
f1bb1e5
@actions-user
Update blockers meta
506ae48
@actions-user
Update blockers meta
d0fb730
@actions-user
Update blockers meta
fa97367
@actions-user
Update blockers meta
40e5aca
@actions-user
Update blockers meta
b3043c4
@actions-user
Update blockers meta
61598f3
@actions-user
Update blockers meta
5e3dc92
@actions-user
Update blockers meta
ef74b80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LaurenceJJones LaurenceJJones LaurenceJJones left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kravietz @buixor @LaurenceJJones @actions-user