Author Topic: Mail spamming or attack?  (Read 3018 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Mail spamming or attack?
« on: April 30, 2016, 08:27:51 AM »
Hello everyone, I guess my VPS getting attacked by spammer. I noticed that within few hours time my mail log consists of numerous mail attempts from spammer.

My VPS has 2 core CPU with 4GB RAM; and has the clamav, spamassasin, amavis, & csf installed.

Anyone has the idea to get rid of this issue? Thanks.

Quote
Apr 29 21:50:19 server postfix/smtpd[20419]: disconnect from host-92-27-2-84.static.as13285.net[92.27.2.84]
Apr 29 21:50:20 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from LStLambert-657-1-68-104.w80-13.abo.wanadoo.fr[80.13.44.104]: 454 4.7.1 Service unavailable; Client host [80.13.44.104] blocked using dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?80.13.44.104; from=<> to=<Marrero_Cecil@domain.com> proto=ESMTP helo=<EX16.SUR-INTERNET.COM>
Apr 29 21:50:21 server postfix/smtpd[20416]: disconnect from LStLambert-657-1-68-104.w80-13.abo.wanadoo.fr[80.13.44.104]
Apr 29 21:50:24 server postfix/smtpd[20419]: connect from exchange.swissfilms.ch[213.200.251.180]
Apr 29 21:50:25 server postfix/smtpd[20419]: setting up TLS connection from exchange.swissfilms.ch[213.200.251.180]
Apr 29 21:50:25 server postfix/smtpd[20416]: connect from mail.sadler.at[80.123.104.70]
Apr 29 21:50:25 server postfix/smtpd[20419]: Anonymous TLS connection established from exchange.swissfilms.ch[213.200.251.180]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:25 server postfix/smtpd[20709]: connect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:25 server postfix/smtpd[20416]: setting up TLS connection from mail.sadler.at[80.123.104.70]
Apr 29 21:50:26 server postfix/smtpd[20709]: setting up TLS connection from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:26 server policyd-spf[20494]: None; identity=helo; client-ip=213.200.251.180; helo=exchange.swissfilms.ch; envelope-from=<>; receiver=numbers_danial@domain.com
Apr 29 21:50:26 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.swissfilms.ch[213.200.251.180]: 450 4.1.1 <numbers_danial@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<numbers_danial@domain.com> proto=ESMTP helo=<exchange.swissfilms.ch>
Apr 29 21:50:26 server postfix/smtpd[20416]: Anonymous TLS connection established from mail.sadler.at[80.123.104.70]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:26 server postfix/smtpd[20709]: Anonymous TLS connection established from dataclarityinc.com[96.255.180.21]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:26 server postfix/smtpd[20718]: connect from smtpmail.mih.org.uk[82.69.46.97]
Apr 29 21:50:26 server postfix/smtpd[20419]: disconnect from exchange.swissfilms.ch[213.200.251.180]
Apr 29 21:50:27 server policyd-spf[20721]: None; identity=helo; client-ip=96.255.180.21; helo=nassaugrouper.dataclarityinc.com; envelope-from=<>; receiver=penn_jewell@domain.com
Apr 29 21:50:27 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from dataclarityinc.com[96.255.180.21]: 450 4.1.1 <Penn_Jewell@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Penn_Jewell@domain.com> proto=ESMTP helo=<NassauGrouper.DataClarityinc.com>
Apr 29 21:50:27 server policyd-spf[20723]: None; identity=helo; client-ip=80.123.104.70; helo=mail.sadler.at; envelope-from=<>; receiver=knox_gretchen@domain.com
Apr 29 21:50:27 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mail.sadler.at[80.123.104.70]: 450 4.1.1 <Knox_Gretchen@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Knox_Gretchen@domain.com> proto=ESMTP helo=<mail.sadler.at>
Apr 29 21:50:27 server postfix/smtpd[20709]: disconnect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:27 server postfix/smtpd[20718]: setting up TLS connection from smtpmail.mih.org.uk[82.69.46.97]
Apr 29 21:50:27 server postfix/smtpd[20416]: disconnect from mail.sadler.at[80.123.104.70]
Apr 29 21:50:28 server postfix/smtpd[20718]: Anonymous TLS connection established from smtpmail.mih.org.uk[82.69.46.97]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:28 server policyd-spf[20725]: None; identity=helo; client-ip=82.69.46.97; helo=smtpmail.mih.org.uk; envelope-from=<>; receiver=ott_dawn@domain.com
Apr 29 21:50:29 server postfix/smtpd[20718]: NOQUEUE: reject: RCPT from smtpmail.mih.org.uk[82.69.46.97]: 450 4.1.1 <Ott_Dawn@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Ott_Dawn@domain.com> proto=ESMTP helo=<smtpmail.mih.org.uk>
Apr 29 21:50:29 server postfix/smtpd[20718]: disconnect from smtpmail.mih.org.uk[82.69.46.97]
Apr 29 21:50:30 server postfix/smtpd[20419]: connect from unknown[110.4.44.55]
Apr 29 21:50:30 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from unknown[110.4.44.55]: 450 4.7.1 Client host rejected: cannot find your hostname, [110.4.44.55]; from=<info@trainingzone.com.my> to=<cyrus@domain.com> proto=ESMTP helo=<server1trainingzonecommy>
Apr 29 21:50:30 server postfix/smtpd[20419]: disconnect from unknown[110.4.44.55]
Apr 29 21:50:30 server postfix/smtpd[20709]: connect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:31 server postfix/smtpd[20709]: setting up TLS connection from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:31 server postfix/smtpd[20709]: Anonymous TLS connection established from dataclarityinc.com[96.255.180.21]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:31 server policyd-spf[20721]: None; identity=helo; client-ip=96.255.180.21; helo=nassaugrouper.dataclarityinc.com; envelope-from=<>; receiver=penn_jewell@domain.com
Apr 29 21:50:31 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from dataclarityinc.com[96.255.180.21]: 450 4.1.1 <Penn_Jewell@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Penn_Jewell@domain.com> proto=ESMTP helo=<NassauGrouper.DataClarityinc.com>
Apr 29 21:50:31 server policyd-spf[20721]: None; identity=helo; client-ip=96.255.180.21; helo=nassaugrouper.dataclarityinc.com; envelope-from=<>; receiver=penn_jewell@domain.com
Apr 29 21:50:31 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from dataclarityinc.com[96.255.180.21]: 450 4.1.1 <Penn_Jewell@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Penn_Jewell@domain.com> proto=ESMTP helo=<NassauGrouper.DataClarityinc.com>
Apr 29 21:50:32 server postfix/smtpd[20419]: warning: 88.98.35.173: hostname c.fairfieldhigh.tameside.sch.uk verification failed: Name or service not known
Apr 29 21:50:32 server postfix/smtpd[20419]: connect from unknown[88.98.35.173]
Apr 29 21:50:32 server postfix/smtpd[20709]: disconnect from dataclarityinc.com[96.255.180.21]
Apr 29 21:50:32 server postfix/smtpd[20419]: setting up TLS connection from unknown[88.98.35.173]
Apr 29 21:50:33 server postfix/smtpd[20419]: Anonymous TLS connection established from unknown[88.98.35.173]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:33 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from unknown[88.98.35.173]: 450 4.7.1 Client host rejected: cannot find your hostname, [88.98.35.173]; from=<> to=<Bowden_Jeanie@domain.com> proto=ESMTP helo=<exchange.fairfieldhs.local>
Apr 29 21:50:34 server postfix/smtpd[20419]: disconnect from unknown[88.98.35.173]
Apr 29 21:50:40 server postfix/smtpd[20718]: connect from mail.medizin-hst.de[92.79.186.50]
Apr 29 21:50:40 server postfix/smtpd[20416]: connect from mona.bmstech.com.au[203.33.248.10]
Apr 29 21:50:40 server postfix/smtpd[20416]: setting up TLS connection from mona.bmstech.com.au[203.33.248.10]
Apr 29 21:50:41 server postfix/smtpd[20718]: setting up TLS connection from mail.medizin-hst.de[92.79.186.50]
Apr 29 21:50:41 server postfix/smtpd[20416]: Anonymous TLS connection established from mona.bmstech.com.au[203.33.248.10]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:41 server policyd-spf[20723]: None; identity=helo; client-ip=203.33.248.10; helo=mail.bmstech.com.au; envelope-from=<>; receiver=raymond_elmo@domain.com
Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>
Apr 29 21:50:41 server postfix/smtpd[20718]: Anonymous TLS connection established from mail.medizin-hst.de[92.79.186.50]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:41 server policyd-spf[20723]: None; identity=helo; client-ip=203.33.248.10; helo=mail.bmstech.com.au; envelope-from=<>; receiver=raymond_elmo@domain.com
Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>
Apr 29 21:50:42 server postfix/smtpd[20416]: disconnect from mona.bmstech.com.au[203.33.248.10]
Apr 29 21:50:42 server policyd-spf[20725]: None; identity=helo; client-ip=92.79.186.50; helo=mail.medizin-hst.de; envelope-from=<>; receiver=cummins_susie@domain.com
Apr 29 21:50:42 server postfix/smtpd[20718]: NOQUEUE: reject: RCPT from mail.medizin-hst.de[92.79.186.50]: 450 4.1.1 <Cummins_Susie@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Cummins_Susie@domain.com> proto=ESMTP helo=<mail.medizin-hst.de>
Apr 29 21:50:43 server postfix/smtpd[20718]: disconnect from mail.medizin-hst.de[92.79.186.50]
Apr 29 21:50:56 server postfix/smtpd[20709]: connect from polara1.lnk.telstra.net[165.228.174.43]
Apr 29 21:50:56 server postfix/smtpd[20416]: connect from static-198-181.grapevine.transact.net.au[121.127.198.181]
Apr 29 21:50:57 server postfix/smtpd[20416]: setting up TLS connection from static-198-181.grapevine.transact.net.au[121.127.198.181]
Apr 29 21:50:57 server postfix/smtpd[20709]: setting up TLS connection from polara1.lnk.telstra.net[165.228.174.43]
Apr 29 21:50:57 server postfix/smtpd[20416]: Anonymous TLS connection established from static-198-181.grapevine.transact.net.au[121.127.198.181]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:57 server postfix/smtpd[20419]: connect from exchange.leupamed.at[80.123.184.238]
Apr 29 21:50:57 server postfix/smtpd[20709]: Anonymous TLS connection established from polara1.lnk.telstra.net[165.228.174.43]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:50:57 server policyd-spf[20723]: None; identity=helo; client-ip=121.127.198.181; helo=remote.patriotalliance.com.au; envelope-from=<>; receiver=robles_robt@domain.com
Apr 29 21:50:57 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from static-198-181.grapevine.transact.net.au[121.127.198.181]: 450 4.1.1 <Robles_Robt@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Robles_Robt@domain.com> proto=ESMTP helo=<remote.patriotalliance.com.au>
Apr 29 21:50:58 server postfix/smtpd[20419]: setting up TLS connection from exchange.leupamed.at[80.123.184.238]
Apr 29 21:50:58 server postfix/smtpd[20416]: disconnect from static-198-181.grapevine.transact.net.au[121.127.198.181]
Apr 29 21:50:58 server policyd-spf[20721]: None; identity=helo; client-ip=165.228.174.43; helo=mail.orbitaltraffic.com.au; envelope-from=<>; receiver=howe_shelley@domain.com
Apr 29 21:50:58 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from polara1.lnk.telstra.net[165.228.174.43]: 450 4.1.1 <Howe_Shelley@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Howe_Shelley@domain.com> proto=ESMTP helo=<mail.orbitaltraffic.com.au>
Apr 29 21:50:58 server postfix/smtpd[20718]: connect from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]
Apr 29 21:50:58 server postfix/smtpd[20419]: Anonymous TLS connection established from exchange.leupamed.at[80.123.184.238]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:58 server policyd-spf[20721]: None; identity=helo; client-ip=165.228.174.43; helo=mail.orbitaltraffic.com.au; envelope-from=<>; receiver=howe_shelley@domain.com
Apr 29 21:50:58 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from polara1.lnk.telstra.net[165.228.174.43]: 450 4.1.1 <Howe_Shelley@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Howe_Shelley@domain.com> proto=ESMTP helo=<mail.orbitaltraffic.com.au>
Apr 29 21:50:58 server postfix/smtpd[20416]: connect from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]
Apr 29 21:50:58 server policyd-spf[20721]: None; identity=helo; client-ip=165.228.174.43; helo=mail.orbitaltraffic.com.au; envelope-from=<>; receiver=howe_shelley@domain.com
Apr 29 21:50:58 server postfix/smtpd[20709]: NOQUEUE: reject: RCPT from polara1.lnk.telstra.net[165.228.174.43]: 450 4.1.1 <Howe_Shelley@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Howe_Shelley@domain.com> proto=ESMTP helo=<mail.orbitaltraffic.com.au>
Apr 29 21:50:58 server postfix/smtpd[20718]: setting up TLS connection from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]
Apr 29 21:50:59 server postfix/smtpd[20797]: connect from diy2247803.lnk.telstra.net[139.130.128.94]
Apr 29 21:50:59 server postfix/smtpd[20416]: setting up TLS connection from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]
Apr 29 21:50:59 server postfix/smtpd[20709]: disconnect from polara1.lnk.telstra.net[165.228.174.43]
Apr 29 21:50:59 server postfix/smtpd[20718]: Anonymous TLS connection established from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:59 server policyd-spf[20494]: None; identity=helo; client-ip=80.123.184.238; helo=exchange.leupamed.at; envelope-from=<>; receiver=hendricks_garth@domain.com
Apr 29 21:50:59 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.leupamed.at[80.123.184.238]: 450 4.1.1 <Hendricks_Garth@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Hendricks_Garth@domain.com> proto=ESMTP helo=<exchange.leupamed.at>
Apr 29 21:50:59 server postfix/smtpd[20797]: setting up TLS connection from diy2247803.lnk.telstra.net[139.130.128.94]
Apr 29 21:50:59 server postfix/smtpd[20416]: Anonymous TLS connection established from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]: TLSv1 with cipher AES256-SHA (256/256 bits)
Apr 29 21:50:59 server policyd-spf[20494]: None; identity=helo; client-ip=80.123.184.238; helo=exchange.leupamed.at; envelope-from=<>; receiver=hendricks_garth@domain.com
Apr 29 21:50:59 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.leupamed.at[80.123.184.238]: 450 4.1.1 <Hendricks_Garth@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Hendricks_Garth@domain.com> proto=ESMTP helo=<exchange.leupamed.at>
Apr 29 21:50:59 server postfix/smtpd[20797]: Anonymous TLS connection established from diy2247803.lnk.telstra.net[139.130.128.94]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 29 21:51:00 server policyd-spf[20725]: None; identity=helo; client-ip=84.9.16.58; helo=server2008.surveyassociatesltd.local; envelope-from=<>; receiver=peterson_jackson@domain.com
Apr 29 21:51:00 server postfix/smtpd[20718]: NOQUEUE: reject: RCPT from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]: 450 4.1.1 <Peterson_Jackson@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Peterson_Jackson@domain.com> proto=ESMTP helo=<server2008.surveyassociatesltd.local>
Apr 29 21:51:00 server policyd-spf[20723]: None; identity=helo; client-ip=100.0.172.19; helo=rxa-srv1.rxadvance.com; envelope-from=<>; receiver=jack_rosemarie@domain.com
Apr 29 21:51:00 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]: 450 4.1.1 <Jack_Rosemarie@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Jack_Rosemarie@domain.com> proto=ESMTP helo=<RXA-SRV1.RxAdvance.com>
Apr 29 21:51:00 server postfix/smtpd[20419]: disconnect from exchange.leupamed.at[80.123.184.238]
Apr 29 21:51:00 server postfix/smtpd[20709]: connect from remote.lowercolumbiacap.org[74.85.50.138]
Apr 29 21:51:00 server postfix/smtpd[20416]: disconnect from static-100-0-172-19.bstnma.fios.verizon.net[100.0.172.19]
Apr 29 21:51:00 server postfix/smtpd[20718]: disconnect from static-84-9-16-58.vodafonexdsl.co.uk[84.9.16.58]
Apr 29 21:51:00 server postfix/smtpd[20709]: setting up TLS connection from remote.lowercolumbiacap.org[74.85.50.138]
Apr 29 21:51:00 server policyd-spf[20808]: None; identity=helo; client-ip=139.130.128.94; helo=mail.diytiles.com.au; envelope-from=<>; receiver=drake_emil@domain.com
Apr 29 21:51:00 server postfix/smtpd[20797]: NOQUEUE: reject: RCPT from diy2247803.lnk.telstra.net[139.130.128.94]: 450 4.1.1 <Drake_Emil@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Drake_Emil@domain.com> proto=ESMTP helo=<mail.diytiles.com.au>
Apr 29 21:51:00 server postfix/smtpd[20709]: Anonymous TLS connection established from remote.lowercolumbiacap.org[74.85.50.138]: TLSv1 with cipher AES256-SHA (256/256 bits)
« Last Edit: May 02, 2016, 12:27:04 PM by infinitech07 »

Offline
*****
Re: Mail spamming or attack?
« Reply #1 on: April 30, 2016, 08:41:37 AM »
change your credentials

Offline
*
Re: Mail spamming or attack?
« Reply #2 on: April 30, 2016, 10:32:25 AM »
change your credentials

Hi Sandeep. Do you mean to change the password for every email accounts?

Offline
*****
Re: Mail spamming or attack?
« Reply #3 on: April 30, 2016, 12:14:51 PM »
if possible do it and update the server

Offline
***
Re: Mail spamming or attack?
« Reply #4 on: April 30, 2016, 01:28:01 PM »
Anyone has the idea to get rid of this issue? Thanks.

I think no way to prevent spammer host trying to send spam mail to our server, unless you block the ip's....

Offline
*
Re: Mail spamming or attack?
« Reply #5 on: May 02, 2016, 12:41:48 PM »
if possible do it and update the server

I did that but nothing is help.  :-\

However, after done some researches, I guess either fail2ban or csf might help to solve this issue.
For CSF, need to set the custom regex on CSF but I need someone helping me on the custom regex for detecting the patterns at below.

Quote
Apr 29 21:50:20 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from LStLambert-657-1-68-104.w80-13.abo.wanadoo.fr[80.13.44.104]: 454 4.7.1 Service unavailable; Client host [80.13.44.104] blocked using dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?80.13.44.104; from=<> to=<Marrero_Cecil@domain.com> proto=ESMTP helo=<EX16.SUR-INTERNET.COM>
Apr 29 21:50:26 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.swissfilms.ch[213.200.251.180]: 450 4.1.1 <numbers_danial@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<numbers_danial@domain.com> proto=ESMTP helo=<exchange.swissfilms.ch>

I had this regex set in the file /etc/csf/regex.custom.pm, but it did not work.
Quote
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+reject: RCPT from \S+: 450 4.1.1/))  {
      return ("SMTP spam attack",$1,"SMTP","1","1");
}

As for fail2ban, I enabled the [postfix-tcpwrapper] at /etc/fail2ban/jail.conf. And, in file /etc/fail2ban/filter.d/postfix.conf, I had the regex pattern set but nothing seems to work as nothing appended into file /etc/hosts.deny.
Quote
[postfix-tcpwrapper]
enabled  = true
filter   = postfix
action   = hostsdeny[file=/etc/hosts.deny]
logpath  = /var/log/postfix.log
bantime  = 604800
ignoreip = 127.0.0.1/8
findtime  = 300
maxretry = 1

Quote
failregex = reject: RCPT from .*\[<HOST>\]: 450 4.1.1
            .*postfix/\smtpd.*reject: RCPT from .*\[<HOST>\]: 450 4.1.1

Anyone can advise me on the regex pattern? Thanks.