Hi,
here an other sugestion.. will be easier for me to explain it like this
#exim
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*/)) {
return ("Illegal FROM by Auth ",$1,"smtp","10","0:65535","1");
}
assume that SMTPAUTH_LOG = /var/log/exim/mainlog
regex will return relay ip if the domain of the user name from AUTH doesn't match the FROM in the header...
this is like auth relay alert but more specific.
* this is in test on centos 5.4+ with directadmin
Illegal FROM by Auth
Re: Illegal FROM by Auth
You need to provide log file examples.