Fixing the fail2ban filter for Postfix unverified address / user unknown spam attacks

For whatever reason, the default distributed postfix filter I had on my fail2ban setup on ubuntu was not triggering on:

450 4.1.1 Receipient address rejected: unverified address: unknown user

mail.log errors. The failregex line was in there for it, but it wasn’t hitting on the endless dictionary attack random attempts from spammer servers across the world. This was annoying because, in looking through the mail.logs, I saw hours and hours, days and days of the same servers just trying to send to crazy email addresses perhaps hoping to get a hit. This needed to stop.

I changed one of the failregex entries in /etc/fail2ban/filters.d/postfix from the line that was not working to this:

^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4.1.1 .* Recipient address rejected: unverified address: unknown user:.*$

It’s not fancy and leaves a lot of space on the wildcards but it immediately killed those incoming attacking servers cycling through thousands of bogus generated email addresses.

If you are looking to stop this type of activity with your Postfix setup, try a variant of the above in the filter and test via:

fail2ban-regex -v /var/log/mail.log /etc/fail2ban/filters.d/postfix

and see if that catches more fish on the filter after you make the changes. Also, restarting fail2ban jails when you have ~40k or so entries in them can take forever, so selective reloading of jails is a better way to go when changing filters or configs. This is off Ubuntu.

# sudo fail2ban-client reload postfix

Let it cycle through all the unbans and rebans and will take quite a while, but nothing like the eternity of a reboot or restart of all jails.

Add comment

Leave a comment or reply