Add Postfix spam messages

[kravietz]

Detect and block persistent spammers

[buixor]

@kravietz can you please provide some tests / sample logs ? see https://doc.crowdsec.net/docs/next/scenarios/create#create-our-test

[kravietz]

@buixor Sure, here are just a few recent log entries matched by this rule:

Sep 21 15:55:47 wyse1 postfix/cleanup[53368]: 9E4E52753B: milter-reject: END-OF-MESSAGE from mx.portalokazji24.pl[80.91.223.90]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mx.portalokazji.pl>
Sep 21 15:57:18 wyse1 postfix/cleanup[53368]: 3D92627522: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 15:57:21 wyse1 postfix/cleanup[53368]: 1742D27547: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 15:57:24 wyse1 postfix/cleanup[53368]: BFB2727430: milter-reject: END-OF-MESSAGE from unknown[111.229.236.100]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<info.fiebusiny.top>
Sep 21 16:05:37 wyse1 postfix/cleanup[71047]: 3F06F27539: milter-reject: END-OF-MESSAGE from mail.excellentuniversal.pl[89.46.78.130]: 4.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.excellentuniversal.pl>

[LaurenceJJones]

Another question any reasonyou didn't incorporate it within the current postfix-logs parser under crowdsecurity/postfix-logs ? Just wanted to know if there was anything specific.

[kravietz]

@LaurenceJJones No, I did it in a separate file exclusively to avoid messing up the existing parser but once you're happy with it it would absolutely make sense to keep them in one file.

[kravietz]

Another question any reasonyou didn't incorporate it within the current postfix-logs parser under crowdsecurity/postfix-logs ? Just wanted to know if there was anything specific.

It has been now merged into the main postfix-logs.yaml file

[kravietz]

Sample log for the third (SASL bruteforcing) rule:

Feb 28 13:41:10 mail postfix/smtpd[98013]: warning: unknown[114.243.105.223]: SASL PLAIN authentication failed: (reason unavailable), [email protected]

[kravietz]

@LaurenceJJones Does this need any further updates or change on my side?

[LaurenceJJones]

I will classify this PR as closed due to spam messages can be configured to user spam settings meaning the data can be non consistent. Feel free to reopen the PR if you do not agree with this classification and the IP address detect by this scenario is worth the rest of the community to use.