Last week, I saw an huge “spam” outbreak on my MX servers. Instead of ~200k rejected SMTP connections, I had ~3M connections and it was rising. This caused some minor issues with the frequent log parsing as the log file quickly grew.
To reduce the log file size and also the DNS requests number, I decided to use fail2ban to drop the connections before they got to Exim.
This is rather easy, just create/append /etc/fail2ban/jail.local with the following:
[exim-dnsbl]
enabled = true
port = 25
filter = exim
logpath = /var/log/exim4/rejectlog
maxretry = 5
And change the following line in your /etc/fail2ban/filter.d/exim.conf:
#failregex = \\\[<HOST>\\\] .\*(?:rejected by local\_scan|Unrouteable address)
failregex = \\\[<HOST>\\\]:\[0-9\]\* I=.\* rejected found in dnsbl
And reload/restart fail2ban. With this simple change, I’ve returned the rejected connections to a more “normal” count (<200k per week). Should have done it earlier.