Resolved How to reduce Spam forwarding with fail2ban

[TorbHo]

Most spam on our servers is blocked by different spamassasin and combined fail2ban rules, but this time the Spam was forwarded to external mail-addresses, because our clients love to use their private mail-addresses and have set a forwarding-rule.

How can we use fail2ban to block Servers sending spam?

My idea: for example when 50 Mails in about 1 hour have been marked by spamassasin as spam, this ip is blocked by fail2ban.
How could the regex for this filter-rule look like?

 

[m3lezZ]

Spamassassin uses a number of rules to decide if an email is blocked and creates a score of each email. This is normally included in the header of each email, so you can see which rules have trigged.

If you can build a cron or so what counts the number of mails to specific-addresses and check how many have the score xy, you could block them with fail2ban.

Just an idea.

 

[TorbHo]

@m3lezZ thank you for your idea with a cron job.

I found another idea and will test it: Denying comment spam bots | DjaoDjin

The idea is to change spamd to show the ip-address of the spamming server in the maillog. With that you can now make a fail2ban filter.