Illegal FROM by Auth

Post Reply
Nerigal
Junior Member
Posts: 33
Joined: 17 Jun 2009, 16:15

Illegal FROM by Auth

Post by Nerigal »

Hi,
here an other sugestion.. will be easier for me to explain it like this

#exim
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*/)) {
return ("Illegal FROM by Auth ",$1,"smtp","10","0:65535","1");
}

assume that SMTPAUTH_LOG = /var/log/exim/mainlog

regex will return relay ip if the domain of the user name from AUTH doesn't match the FROM in the header...
this is like auth relay alert but more specific.

* this is in test on centos 5.4+ with directadmin
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: Illegal FROM by Auth

Post by chirpy »

You need to provide log file examples.
Post Reply