Rev 6 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# Fail2Ban filter for exim the spam rejection messages## Honeypot traps are very useful for fighting spam. You just activate an email# address on your domain that you do not intend to use at all, and that normal# people do not risk to try for contacting you. It may be something that# spammers often test. You can also hide the address on a web page to be picked# by spam spiders. Or simply parse your mail logs for an invalid address# already being frequently targeted by spammers. Enable the address and# redirect it to the blackhole. In Exim's alias file, you would add the# following line (assuming the address is honeypot@yourdomain.com):## honeypot: :blackhole:## For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.## To this filter use the jail.local should contain in the right jail:## filter = exim-spam[honeypot=honeypot@yourdomain.com]#[INCLUDES]# Read common prefixes. If any customizations available -- read them from# exim-common.localbefore = exim-common.conf[Definition]failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$ignoreregex =[Init]# Option: honeypot# Notes.: honeypot is an email address that isn't published anywhere that a# legitimate email sender would send email too.# Values: email addresshoneypot = trap@example.com# DEV Notes:# The %(host_info) defination contains a <HOST> match## Author: Cyril Jaquier# Daniel Black (rewrote with strong regexs)