Illegal FROM by Auth
Posted: 07 Sep 2011, 17:59
Hi,
here an other sugestion.. will be easier for me to explain it like this
#exim
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*/)) {
return ("Illegal FROM by Auth ",$1,"smtp","10","0:65535","1");
}
assume that SMTPAUTH_LOG = /var/log/exim/mainlog
regex will return relay ip if the domain of the user name from AUTH doesn't match the FROM in the header...
this is like auth relay alert but more specific.
* this is in test on centos 5.4+ with directadmin
here an other sugestion.. will be easier for me to explain it like this
#exim
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /.*\[(\d+\.\d+\.\d+\.\d+)\].*A\=login\:(?:[a-zA-Z0-9\-\_\.]+\@([a-zA-Z0-9\-\_\.]+)).*\<(?:[a-zA-Z0-9\-\.]+\@(?(?!\2)([a-zA-Z0-9\-\_\.]+)))>.*/)) {
return ("Illegal FROM by Auth ",$1,"smtp","10","0:65535","1");
}
assume that SMTPAUTH_LOG = /var/log/exim/mainlog
regex will return relay ip if the domain of the user name from AUTH doesn't match the FROM in the header...
this is like auth relay alert but more specific.
* this is in test on centos 5.4+ with directadmin