Blacklist an IP

I want to block a specific IP semi permanently

I tried this command:
fail2ban-client set JAIL banip

with response:
NOK: (‘JAIL’,)
Sorry but the jail ‘JAIL’ does not exist

clearly I need to replace ‘JAIL’ with and appropriate name - but what?

Hoping to stop being hit with mail bounces real soon!


decided to use
fail2ban-client set recidive banip
which worked.
The spammer/faulty server switched to the next address, which I then banned. And now silence.

The unwanted traffic was coming in on port 25, at the rate of 20+ email /sec. reporting an email bounce.

So really I’d like to know why fail2ban didn’t stop this traffic by itself. I had restarted fail2ban with no effect.
I could see it banning sshd attempts.

Anyway panic over for now


There probably is no matching filter/jail defined in fail2ban for the report that you saw. That might or might not have been on purpose, depending on the exact report that is present in the logs. Can you provide an (anonymized) example of the unwanted traffic?
Also note that the bantime of recidive is by default set to 1 week (I think). This means fail2ban will remove the ban after a week, so you might want to check recurrence of the noisy ip at that time.

I personally would use ufw to block the IP instead.

sudo ufw deny from {ip-address-here} to any (do not use the brackets)

sudo ufw reload

1 Like

Below is a sample of the emails. They were arriving at > 30 per minute.
I did check for any mention of the source IP in the logs and jails, but didn’t find any.

As I understand it fail2ban blocks multiple connection attempts to services. But once you’ve made a single connection to port25 you can send as many emails as you like as part of the same connection. (emails with bcc recipients rely on this)
So I am not sure that fail2ban is what would be blocking such an attack (or faulty behaviour - to be generous). Is there any defence in MIAB and if so what could be wrong with my system.?

BlockquoteReturn-Path: <>
Received: from ([])
by with LMTP id ePvrNkNfM2HdGQAAaZtI8A
for; Sat, 04 Sep 2021 12:57:55 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
X-Spam-Flag: YES
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.6 required=5.0 tests=BAYES_00,DMARC_FAIL_REJECT,
autolearn_force=no version=3.4.2
* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 10 DMARC_FAIL_REJECT DMARC check failed (p=reject)
* 2.0 SPF_NONE SPF record not found
* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
* provider (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at] (mailer-daemon[at]
* (mailer-daemon[at]
* 1.5 SPOOFED_FREEMAIL No description available.
X-Spam-Score: 11.6
Received: from ( [])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id 9969B81BE6
for; Sat, 4 Sep 2021 12:57:55 +0100 (BST)
Authentication-Results:; dmarc=fail (p=reject dis=none)
Authentication-Results:; spf=none
Authentication-Results:; dkim=none; dkim-atps=neutral
Received: by (Postfix)
id AFF822C8024B; Sat, 4 Sep 2021 18:57:54 +0700 (+07)
Date: Sat, 4 Sep 2021 18:57:54 +0700 (+07)
From: (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
Content-Transfer-Encoding: 7bit

This is a MIME-encapsulated message.

Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host

I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

               The mail system (expanded from user unknown

Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns;
X-Postfix-Queue-ID: 978212C8519F
X-Postfix-Sender: rfc822;
Arrival-Date: Sat, 4 Sep 2021 18:57:54 +0700 (+07)

Final-Recipient: rfc822;
Original-Recipient: rfc822;
Action: failed
Status: 5.1.1
Diagnostic-Code: x-unix; user unknown

Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Received: from localhost (unknown [])
by (Postfix) with ESMTP id 978212C8519F
for; Sat, 4 Sep 2021 11:57:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Status: No, score=-1.698 tagged_above=-200 required=5.2
tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=neutral
reason=“invalid (public key: not available)”
Received: from ( [])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id 668FD2C8024B
for; Sat, 4 Sep 2021 18:57:52 +0700 (+07)
Received: by (Postfix, from userid 116)
id 777C982942; Sat, 4 Sep 2021 12:57:51 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
s=mail; t=1630756671;
From: OpenDMARC Filter
Date: Sat, 4 Sep 2021 12:57:51 +0100 (BST)
Subject: FW: Undelivered Mail Returned to Sender
MIME-Version: 1.0
Content-Type: multipart/report;

Content-Type: text/plain

This is an authentication failure report for an email message received from IP on Sat, 4 Sep 2021 12:57:51 +0100 (BST).

Content-Type: message/feedback-report

Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results:; dmarc=fail
Original-Envelope-Id: 375E581BE6
Source-IP: (

Content-Type: text/rfc822-headers

Authentication-Results:; dkim=none; dkim-atps=neutral
Received: by (Postfix)
id 55A072C8024B; Sat, 4 Sep 2021 18:57:50 +0700 (+07)
Date: Sat, 4 Sep 2021 18:57:50 +0700 (+07)
From: (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
Content-Transfer-Encoding: 7bit



Yes thanks for that!

From the command line run @stefbishop


Is there any significant output? Significant being defined as emails in queue OTHER THAN THOSE which you may have just sent yourself or by one of your users?


There was but not now!

Indeed, in that case fail2ban will not help you. Alento’s solution works quite well in any case.

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.