Hi Members,
Can someone help me to track down and block following behavior with custom regex?:
=================================
2015-10-25 12:47:50 H=(115-87-13-177.skybandalarga.com.br) [177.13.87.115]:21944 F=<fakeuser@domainname> rejected RCPT <fakeuser@domainname>: Sender verify failed
2015-10-25 12:47:51 H=(dynamic.vdc.vn) [113.162.223.170]:59451 sender verify fail for <fakeuser@domainname>:
2015-10-25 12:47:51 H=(dynamic.vdc.vn) [113.162.223.170]:59451 F=<fakeuser@domainname> rejected RCPT <fakeuser@domainname>: Sender verify failed
2015-10-25 12:47:53 H=([188.55.207.228]) [188.55.207.228]:29827 sender verify fail for <fakeuser@domainname>:
2015-10-25 12:47:53 H=([188.55.207.228]) [188.55.207.228]:29827 F=<fakeuser@domainname> rejected RCPT <fakeuser@domainname>: Sender verify failed
2015-10-25 12:47:56 H=177-66-137-33.clonix.srv.br [177.66.137.33]:10000 sender verify fail for <fakeuser@domainname>:
2015-10-25 12:47:56 H=177-66-137-33.clonix.srv.br [177.66.137.33]:10000 F=<fakeuser@domainname> rejected RCPT <fakeuser@domainname>: Sender verify failed
=================================
Custom Regex Help Required.
Re: Custom Regex Help Required.
thanks much appreciated. If you can create CSF rule for me I would be very grateful.
Re: Custom Regex Help Required.
Here you go:
It will block anyone with more than 5 matches for 1 day.
Code: Select all
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ H=\S+ \[(\S+)\]:\d+? sender verify fail for <(\S+)>/)) {
return ("Failed SENDER VERIFY from",$2,"sender_verify","5","25,587,465","864000");
}
Re: Custom Regex Help Required.
thank you marcele. you have been a wonderful help.