Exim Reject Mail - RBL Custom Regex

[zmjwong]

Hello,

I wanted to create a custom regex expression to scan exim_rejectlog and block address that match a RBL.
Currently on cPanel the rate limit feature is not enough for our needs.

I'm wondering if anyone has any experience with this.

Currently our logs look like this.

2013-11-06 00:10:22 H=(msa.hinet[.net]) [124.11.192.11]:4063 F=<chitrjnot.acskovov@msa.hinet[.net]> rejected RCPT <ayuanokok95@yahoo[.com]>: "JunkMail rejected - (msa.hinet[.net]) [124.11.192.11]:4063 is in an RBL, see http://www.spamhaus[.org]/query/bl?ip=124.11.192.11"

I've been looking at regex.custom.pm and i'll need a full tutorial to understand regex apparently.

So i'm wondering if anyone could help me build a regex expression that would allow lfd to scan and ban for X seconds if it finds a IP matching "JunkMail rejected * is in RBL"

I use various RBL's so matching based on spamhaus.[org]/query/bl?ip= would not be ideal.

any help would be appreciated.

[zmjwong]

I've tested it with out errors using this:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =/JunkMail rejected|\d|is in an RBL/)) {
return ("Exim RBL Match",$1,"eximrblmatch","1","25","1");
}

I'll have to wait and see if i get any hits. If anyone has any suggestions that would be great.

[zmjwong]

did not work during my tests.

[zmjwong]

I've decided to re-start this project and here are my updated rules.

This rules is for Exim, Invalid HELO

http://rubular.com/r/i6qKKbmqSY

Code: Select all

# Exim_RFC
	if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\]:.* rejected MAIL <.*>: Access denied - Invalid HELO name \(See RFC2821 .*\)$/)) {
                        return ("RFC Hit from",$1,"EXIMRFC","1","25;tcp,465;tcp,587;tcp","3600");
                }

I have yet to see it working, can anyone confirm? Based on Rubular its valid, but CSF doesn't seem to trigger it.

-- update
Confirmed working

Code: Select all

(EXIMRFC) EXIM RFC Hit from 114.43.241.151 (TW/Taiwan/-/-/-/[AS3462 Data Communication Business Group]): 1 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_CUSTOMTRIGGER]

Based on the current logs;

Code: Select all

2015-10-19 07:14:32 H=(GAOERAUJJ) [41.162.49.20]:2092 rejected MAIL <miasmata8@rockofages.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

2015-10-19 21:43:48 H=(DCBLRIFI) [175.206.109.172]:9351 rejected MAIL <yodelerc2@reresources.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

2015-10-19 21:44:34 H=(ZVOFFEKXKZ) [175.206.109.172]:9519 rejected MAIL <releasingdjn8@rostolis.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

2015-10-19 22:53:17 H=(abouliau) [12.147.144.133]:54314 rejected MAIL <boomstera@abouliau.pps-time.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

Proof

Code: Select all

csf -g 114.43.241.151

Chain            num   pkts bytes target     prot opt in     out     source               destination         

DENYIN           37       0     0 DROP       tcp  --  !lo    *       114.43.241.151       0.0.0.0/0           tcp dpt:25
DENYIN           38       0     0 DROP       tcp  --  !lo    *       114.43.241.151       0.0.0.0/0           tcp dpt:465
DENYIN           39       0     0 DROP       tcp  --  !lo    *       114.43.241.151       0.0.0.0/0           tcp dpt:587

IPSET: No matches found for 114.43.241.151


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 114.43.241.151 in ip6tables

Temporary Blocks: IP:114.43.241.151 Port:25;tcp,465;tcp,587;tcp Dir:in TTL:3600 (lfd - (EXIMRFC) EXIM RFC Hit from 114.43.241.151 (TW/Taiwan/-/-/-/[AS3462 Data Communication Business Group]): 1 in the last 3600 secs)

OS: CentOS 6 // CPANEL 11.52.0
LF_TRIGGER = "0"
LF_SELECT = "1"

Here is another rule that has yet to trigger;
http://rubular.com/r/lirfiIDZdr

Code: Select all

# Exim_RBL
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\]:.* .*F=.* rejected RCPT <(\S+)>: \"JunkMail rejected - .* \[(\S+)\]:.* is in an RBL.*$/)) {
                if ($3 eq "") {         # To avoid 'Blocked by ...'
                        return ("RBL Hit",$1,"EXIM_RBL","1","25,465,587","3600");
                }
        }

-- update 2 RBL Regex is confirmed working

Code: Select all

Time:     Wed Oct 21 06:04:21 2015 -0400
IP:       94.231.126.245 (RU/Russian Federation/Ryazan/Ryazan/-/[AS41854 Nlink Telecommunications LLC])
Failures: 1 (EXIMRBL)
Interval: 3600 seconds
Blocked:  Temporary Block

Logs that it catches -- We often get brute forces for RFC rules, in this case drpeng-cb03e432 hit the server 25+ times, i could set the rule to x hits but i've yet to see any valid traffic from clients hitting this rule.

Code: Select all

2015-10-19 05:42:27 H=(drpeng-cb03e432) [1.93.19.216]:3379 rejected MAIL <lvckx@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:42:33 H=(drpeng-cb03e432) [1.93.19.216]:2588 rejected MAIL <rjgpe@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:42:43 H=(drpeng-cb03e432) [1.93.19.216]:4195 rejected MAIL <wvh@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:42:47 H=(drpeng-cb03e432) [1.93.19.216]:4596 rejected MAIL <rgjyb@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:43:31 H=(drpeng-cb03e432) [1.93.19.216]:3349 rejected MAIL <eenv@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:44:38 H=(drpeng-cb03e432) [1.93.19.216]:3918 rejected MAIL <cqxojm@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:12:59 H=(QHWHFOVDC) [88.119.254.194]:1378 rejected MAIL <undercharging95@rollcoater.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:13:03 H=(NQURXTBEEE) [88.119.254.194]:1449 rejected MAIL <betided20@rouenstsever.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:14:20 H=(YHBDPVAOF) [41.162.49.20]:1894 rejected MAIL <electroplatingkbv158@rccn.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:14:32 H=(GAOERAUJJ) [41.162.49.20]:2092 rejected MAIL <miasmata8@rockofages.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 21:43:48 H=(DCBLRIFI) [175.206.109.172]:9351 rejected MAIL <yodelerc2@reresources.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 21:44:34 H=(ZVOFFEKXKZ) [175.206.109.172]:9519 rejected MAIL <releasingdjn8@rostolis.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 22:53:17 H=(abouliau) [12.147.144.133]:54314 rejected MAIL <boomstera@abouliau.pps-time.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

Proof

Code: Select all

csf -g 94.231.126.245

Chain            num   pkts bytes target     prot opt in     out     source               destination         

DENYIN           10       8   356 DROP       tcp  --  !lo    *       94.231.126.245       0.0.0.0/0           tcp dpt:25
DENYIN           11       0     0 DROP       tcp  --  !lo    *       94.231.126.245       0.0.0.0/0           tcp dpt:465
DENYIN           12       0     0 DROP       tcp  --  !lo    *       94.231.126.245       0.0.0.0/0           tcp dpt:587

IPSET: No matches found for 94.231.126.245


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 94.231.126.245 in ip6tables

Temporary Blocks: IP:94.231.126.245 Port:25;tcp,465;tcp,587;tcp Dir:in TTL:3600 (lfd - (EXIMRBL) EXIM RBL Hit 94.231.126.245 (RU/Russian Federation/Ryazan/Ryazan/-/[AS41854 Nlink Telecommunications LLC]): 1 in the last 3600 secs)

The only problem i can see is that CUSTOM_LOG is set to both /var/log/exim_rejectlog for both.. not sure if that could be a problem..

Any suggestions and advise would be nice.

[zmjwong]

Added a new block for spammers that don't wait for greetings or old MS clients (removed due to standards with SSLv3 and removal of IE8 support on most systems) ciphers won't let it connect anyways so who cares at this point.

Code: Select all

# Exim_Sync
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* SMTP protocol synchronization error \(.*\): rejected connection from H=\[(.*)\]:.* input="QUIT.*"$/)) {
                        return ("EXIM Sync Hit from",$1,"EXIMSYNC","1","25;tcp,465;tcp,587;tcp","3600");
                }

I had to make a 2nd rule for times that it showed a hostname and not and [ip]

Code: Select all

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* SMTP protocol synchronization error \(.*\): rejected connection from H=.* \[(.*)\]:.* input="QUIT.*"$/)) {
                        return ("EXIM Sync Hit 2 from",$1,"EXIMSYNC2","1","25;tcp,465;tcp,587;tcp","3600");
                }
 

for the following logs

Code: Select all

2015-10-21 03:33:06 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=pjl126.internetdsl.tpnet.pl [46.171.245.126]:59479 input="QUIT\r\n"
2015-10-21 03:33:06 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[93.88.64.40]:2454 input="QUIT\r\n"
2015-10-21 04:23:21 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[115.186.110.130]:3460 input="QUIT\r\n"
2015-10-21 04:23:21 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=host-223.71-43-115.dynamic.totalbb.net.tw [115.43.71.223]:4529 input="QUIT\r\n"
2015-10-21 04:23:21 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[175.205.84.174]:41464 input="QUIT\r\n"
2015-10-21 05:10:06 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=37-144-12-96.broadband.corbina.ru [37.144.12.96]:37014 input="QUIT\r\n"
2015-10-21 05:10:06 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=cpe-70-114-243-177.austin.res.rr.com [70.114.243.177]:42948 input="QUIT\r\n"
2015-10-21 05:10:06 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=36-224-198-242.dynamic-ip.hinet.net [36.224.198.242]:44007 input="QUIT\r\n"

[zmjwong]

Just an update, based on my finding its not clear if every rule requires a CUSTOM_LOG, in my testing for EXIM, its possible to only use 1 of 9 custom log rules if they all scan the same file. Hence why the rules above all use CUSTOM1_LOG.