使用較少CPU的fail2ban正則表達式？

使用fail2ban，我想禁止這些發送到垃圾郵件地址的垃圾郵件發送者：

Oct 27 09:04:22 si68 postfix/smtpd[3240]: NOQUEUE: reject: RCPT from unknown[117.197.114.222]: 550 5.7.1 <spamtrap@example.com>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: odwsgs.com, MTA hostname: unknown[117.197.114.222] (helo/hostname mismatch); from=<info.manager@nacha.org> to=<spamtrap@example.com> proto=ESMTP helo=<odwsgs.com>
Oct 27 09:08:51 si68 postfix/smtpd[32646]: NOQUEUE: reject: RCPT from unknown[182.177.131.71]: 550 5.7.1 <spamtrap@example.com>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: rigplj.com, MTA hostname: unknown[182.177.131.71] (helo/hostname mismatch); from=<account.manager@nacha.org> to=<spamtrap@example.com> proto=ESMTP helo=<rigplj.com>
Oct 27 12:42:09 si68 postfix/smtpd[22119]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <spamtrap@example.com>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=<jameshoward@bk.ru> to=<spamtrap@example.com> proto=ESMTP helo=<CT623.local>
Oct 27 14:03:12 si68 postfix/smtpd[30183]: NOQUEUE: reject: RCPT from unknown[91.79.137.194]: 550 5.7.1 <spamtrap@example.com>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (mchi.org); Please use DynDNS; from=<bvioj@mchi.org> to=<spamtrap@example.com> proto=SMTP helo=<ppp91-79-137-194.pppoe.mtu-net.ru>
Oct 27 22:00:28 si68 postfix/smtpd[18310]: NOQUEUE: reject: RCPT from unknown[96.31.94.71]: 550 5.1.1 <spamtrap@example.com>: Recipient address rejected: User unknown; from=<onsite@ipr-management-mail.com> to=<spamtrap@example.com> proto=ESMTP helo=<ipr-management-mail.com>
Oct 28 00:40:00 si68 postfix/smtpd[18319]: NOQUEUE: reject: RCPT from unknown[63.141.229.165]: 550 5.1.1 <spamtrap@example.com>: Recipient address rejected: User unknown; from=<info@nnamedia.com> to=<spamtrap@example.com> proto=SMTP helo=<mx1.nnamedia.com>
Oct 28 04:05:14 si68 postfix/smtpd[9519]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <spamtrap@example.com>: Recipient address rejected: Your MTA is listed in too many DNSBLs; check http://www.robtex.com/rbl/70.39.119.76.html; from=<jameshoward@bk.ru> to=<spamtrap@example.com> proto=ESMTP helo=<CT623.local>

我不太擅長正則表達式，但我想出了這個：

[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap

但是，當我針對 (46MB) 郵件日誌測試上述正則表達式時，如下所示：

fail2ban-regex /var/log/maillog 'failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap'

CPU 瘋狂地試圖處理它。我認為正則表達式可以更有效地編寫。有什麼建議麼？

更新：上述日誌文件中的 IP 僅針對上述特定事務被拒絕。我想完全阻止他們。這只是一個非常小的日誌摘錄。相同的垃圾郵件發送者 IP 不僅發送到垃圾郵件陷阱地址，而且發送到真正有效的收件人，並且正在通過。

換句話說，我想在他們嘗試垃圾郵件陷阱地址的那一刻禁止他們 - 從而防止來自同一 IP 的更多郵件到達真實的人。

使用 Michael Orlitzky 的建議，找到了一種使用更少 CPU 和更少 glob 的方法：

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5\.1\.1 <spamtrap@example\.com>

參考： http: //old.nabble.com/Re%3A-fail2ban-for-spamtraps-p28964882.html

我看不出你想要完成什麼。您可以獲得的最少 CPU 使用率是刪除 fail2ban 並忽略郵件日誌中的條目。所有這些郵件都被拒絕。那麼為什麼要關心呢？

您在拒絕（策略權重）時消耗 CPU，然後在 fail2ban 上禁止已經關閉的連接。只是忽略過去。

如果你真的需要這樣做，你應該重定向日誌。使用 syslog-ng 過濾器僅為垃圾郵件陷阱創建日誌文件。然後在那個小日誌文件上使用fail2ban。

引用自：https://serverfault.com/questions/326463