From d0f724599582113cff1dd7ebbf7d0dff1cbb056e Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Mon, 30 Aug 2021 17:32:42 +0000 Subject: [PATCH] Initial checkin --- README | 21 +++++++++++++++++++++ body_checks | 2 ++ header_checks | 14 ++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 README create mode 100644 body_checks create mode 100644 header_checks diff --git a/README b/README new file mode 100644 index 0000000..4b561c0 --- /dev/null +++ b/README @@ -0,0 +1,21 @@ +Abuse reports form a foundational part of internet infrastructure. The ability +to get in contact with a person responsible for IP address routing or machines +involved in an ongoing attack in a timely manner is critical for internet +stability and operational security. + +Sadly, some junior administrators have decided that standard internet +background noise constitutes critical abuse behavior and automates sending +abuse emails in response. This floods abuse inboxes and makes the global abuse +reporting system less real time and, thus, less able to respond to actual +attacks. + +Worse, these automated abuse senders rarely respond to follow-up or requests +for more information, making it clear they don't actually care about the +"abuse", they just want to send spam. + +To combat this, we completely block any automated abuse senders after several +attempts to reach out and resolve the issue if we receive no response. Further, +we block all messages coming from common auto-mailers. The two files in this +directory are regex lists compatible with postfix's `header_checks` and +`body_checks` configuration options, and should block most spammers who hit +abuse inboxes. diff --git a/body_checks b/body_checks new file mode 100644 index 0000000..3ce5043 --- /dev/null +++ b/body_checks @@ -0,0 +1,2 @@ +/^\[this is aDs \(AutoDefenseSystem\), please report any abuse or illegal redistribution of this software to the author Mr. Davide Lemma.*/ REJECT AutoDefenseSystem delivers abuse reports to non-abuse contacts. Thus, all mail from it is rejected on this server. +/This mail was generated by Fail2Ban/ REJECT We do not accept automated abuse reports from Fail2Ban instances as they tend to be spammy and come from sources which do not respond to attempted follow-up. diff --git a/header_checks b/header_checks new file mode 100644 index 0000000..3d2e386 --- /dev/null +++ b/header_checks @@ -0,0 +1,14 @@ +/^F(rom|ROM): Fail2Ban \(Keyweb AG\) / REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM):.*abuse@thecluephone\.com/ REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM):.*root@host..\.ns3\.it/ REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM):.*security@aldimna\.com/ REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM): admin@ics-il\.net/ REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM):.*botnet\.tracker@gmail\.com/ REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM):.*abuse@light-gap\.net/ REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM):.*monitor@desmoweb\.com/ REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. +/^F(rom|ROM):.*System Administrator / REJECT Sender blocked - automated abuse spam without detail or followup causes real abuse to go unfixed. Please fix your abuse report process. -- 2.30.2