fail2ban reject brute force spam bots

Question

Would it be wise if I modify postfix fail2ban rule from this:

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
        ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
        ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
        ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

by adding following line:

  ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$

Because I'm trying to prevent attacks like this:

Jan 27 09:42:02 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <chiquia9p34@acosonic.com>: Recipient address rejected: User unkn
own in virtual alias table; from=<crazy434808@airoclean.ch> to=<chiquia9p34@acosonic.com> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:42:03 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <chiquia@acosonic.com>: Recipient address rejected: User unknown 
in virtual alias table; from=<crazy434808@airoclean.ch> to=<chiquia@acosonic.com> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <michaela9p34@acosonic.com>: Recipient address rejected: User unk
nown in virtual alias table; from=<crazy878210@camgirl-info.com> to=<michaela9p34@acosonic.com> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <michaela@acosonic.com>: Recipient address rejected: User unknown
 in virtual alias table; from=<crazy878210@camgirl-info.com> to=<michaela@acosonic.com> proto=ESMTP helo=<[109.107.106.180]>

My concern is that it will drop unintentional wrong emails that should be bounced back to users who missed email address by accident.

What's your suggestions?

Answer 1

My suggestion for you is to use postscreen, more information here: http://www.postfix.org/POSTSCREEN_README.html

"The Postfix postscreen(8) server provides additional protection against mail server overload. One postscreen(8) process handles multiple inbound SMTP connections, and decides which clients may talk to a Post- fix SMTP server process. By keeping spambots away, postscreen(8) leaves more SMTP server processes available for legitimate clients, and delays the onset of server overload conditions."

This puts the whole load away from the MTA by doing some clever checks. The bots will never make it until there which is the way it should be.

If your setup doesn't allow for postscreen to be installed the use of a policy daemon with rate limits might come in handy.

Answer 2

There is always a balance to find with this sort of thing. A one off or infrequent failure is probably a mistake on the senders part. Multiple failures in a short time are likely an indication that you want to put a (temporary) ban in place.

This is why fail2ban has parameters that you can use to tune the sensitivity. For example you can set maxretry and findtime. The maxretry setting is the number of failed attempts that will be tolerated within the findtime any more than this and the address will be banned.

I would cast an eye over the file and get a feel for what's happening and set the parameters appropriately.