Patrick's Rants



10/13/2018

Cloudfail

Filed under: Geek News and Stuff — site admin @ 10:05 am

I periodically go back through my Fail2Ban reports just to see who’s being naughty or nice. If a host, or a network is being particularly egregious I will send the admins a note/complaint about the behavior. I don’t always do this before I add them to an ipset filter. On my generous days, I give the admin a chance to respond to a complaint. On my not so generous days I might just completely block an entire network, it just depends on the recidivism of the offender.

I sent an email to Cloudflare showing 9 different IP addresses that had been blocked by Spamassassin and subsequently blocked by Fail2Ban. So first, Spamassassin identifies email as spam. Once three such messages are marked from any one host, Fail2Ban will block that host. So there were ~27 attempts to send spam that were blocked by Spamassassin, then by Fail2Ban. I got a response that I didn’t immediately see: <>blockquote>There’s no way the IP could be attempting to SSH into your server through our service. You’re likely either logging the wrong IP, or the IP was spoofed.

What I sent them was,

Hi,

The IP ${IP} has just been banned by Fail2Ban after
3 attempts against spammed.

Here is more information about ${IP} :

[Querying whois.arin.net]
[whois.arin.net]

My response, delayed as it was

How did you get SSH from the Fail2Ban spam filter?

Seems like a failure to comprehend. SSH <> Spamassassin

Powered by WordPress
Comments, opinions and drivel © the poster. Satire protected under Fair Use. Opinion protected under First Amendment (see: Constitution of the United States)
Nothing on this site should be construed as tax, legal, or investment advice. If you need any of those things, seek out a professional whom you can pay for such advice. Posters cannot be held liable for your failure to perform your own due diligence.