qmail submission-login brute force

[ServerDude]

Good Morning,

We're running Interworx servers with qmail and have noticed that submission-logins aren't being blocked. Below is what the log entries look like in dovecot.log

Sep 15 11:01:23 submission-login: Info: Remote closed connection (auth failed, 1 attempts in 3 secs): user=, method=LOGIN, rip=, lip=, TLS, session=

We can sometimes see a few hundred attempts an hour from a single IP. Is there a regex for this type of attack?

[Sergio]

Hi.
You can create your own regex that should be written at /usr/local/csf/bin/regex.custom.pm

That is a nice way to block anything.