Patrick's Rants



10/13/2018

Cloudfail

Filed under: Geek News and Stuff — site admin @ 10:05 am

I periodically go back through my Fail2Ban reports just to see who’s being naughty or nice. If a host, or a network is being particularly egregious I will send the admins a note/complaint about the behavior. I don’t always do this before I add them to an ipset filter. On my generous days, I give the admin a chance to respond to a complaint. On my not so generous days I might just completely block an entire network, it just depends on the recidivism of the offender.

I sent an email to Cloudflare showing 9 different IP addresses that had been blocked by Spamassassin and subsequently blocked by Fail2Ban. So first, Spamassassin identifies email as spam. Once three such messages are marked from any one host, Fail2Ban will block that host. So there were ~27 attempts to send spam that were blocked by Spamassassin, then by Fail2Ban. I got a response that I didn’t immediately see: <>blockquote>There’s no way the IP could be attempting to SSH into your server through our service. You’re likely either logging the wrong IP, or the IP was spoofed.

What I sent them was,

Hi,

The IP ${IP} has just been banned by Fail2Ban after
3 attempts against spammed.

Here is more information about ${IP} :

[Querying whois.arin.net]
[whois.arin.net]

My response, delayed as it was

How did you get SSH from the Fail2Ban spam filter?

Seems like a failure to comprehend. SSH <> Spamassassin

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.