Mail Abuse – New Fail2ban Rules

     I found people connecting to our mail server, giving the auth command, then disconnecting.  I found out that this was a Chinese botnet attempting to deliver spam but why they would issue an auth command and then not provide arguments is not clear. Perhaps they are aware of some bug in postfix that I am not.

     At any rate it is bad behavior so I have added rules to fail2ban to block IP addresses that do this.  That’s one less botnet delivering spam.