Permanent block ratelimited user with Rspamd and fail2ban

This one was a little tricky. I had few mail servers with a lot of accounts. I setup rspamd instance in proxy mode. Then I called rspamd on every mail server with postfix milter. Rspamd works beautifully, ratelimiting is very useful too. But I in case of abusive mail sender, I wanted to permanently block IP from which spam originated. You can’t permanently block IPs with rspamd because ratelimit module can’t add IP address to some file.

So Fail2ban came to mind. I setup fail2ban on my rspamd installation and create filter which watches rspamd log and wait for cases when ratelimit is triggered. When fail2ban counts 10 cases of triggered ratelimit, filter puts IP of ratelimited sender to special blacklist file ( which is included in rspamd multimap  definition Рpermanent block. Spamer IP is blocked permanently this way. 

I had few cases when some users password was stolen and spam was sending. Fail2ban and rspamd sucsessfuly banned those IPs. I also created action which will notify administrator when fail2ban blocks IP.

Rspamd ratelimit config:

# limit outgoing authenticated users
user = {
bucket = [
burst = 10; # capacity of 10 messages in bucket
rate = "1 / 1min"; # leak 1 messages per minute
burst = 100; # capacity of 100 messages in bucket
rate = "30 / 60min"; # leak 30 messages per hour

Rspamd multimap definition for blocking blacklisted IPs:

# block users exceeded ratelimits 5 times
type = "ip";
prefilter = "true";
map = "${LOCAL_CONFDIR}/local.d/maps/";
action = "reject";

Fail2ban jail configuration:

enabled = true
action = rspamd-banip
backend = auto
filter = rspamd-ratelimit
logpath = /var/log/rspamd/rspamd.log
maxretry = 10
bantime = 3600

Fail2ban filter for rspamd – rspamd-ratelimit.conf:

# Fail2Ban filter for rspamd ratelimit
before = common.conf
_daemon = rspamd_proxy
failregex = ^.*rspamd_proxy.*ip: .*?Ratelimit ".*?" exceeded

# Author: Igor Mazej

Fail2ban action for rspamd – rspamd-banip.conf:

# Author: Igor Mazej
actionstart = touch /etc/rspamd/local.d/maps/
actionban = printf %%b "\n" >> /etc/rspamd/local.d/maps/
actionunban = sed -i "//d" -i.backup /etc/rspamd/local.d/maps/

© 2020
Hosted by Hosterdam

About author