On Mon, 6 Jul 2020 11:06:17 -0400 (EDT), Wietse Venema stated:
>Robert Chalmers (Author):
>>
>>
>> Such as this one?
>>
>> Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from
>> unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=?
>
>Like Benny writes, you need to trigger on the auth=x/y part, not
>the client hostname.
>
> Wietse
>
>> So I have anyway written this to find them
>> sudo grep unknown /var/log/postfix.log | grep -E -o
>> "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq > output.txt
>>
>> Take out my own network and localhost etc, and put them into pfct?s
>> badguys
>>
>> works nicely.
>>
>> thanks
>> robert
>>
>>
>>
>> > On 6 Jul 2020, at 14:28, Wietse Venema <wie...@porcupine.org>
>> > wrote:
>> >
>> > auth= I was using this in a script I wrote. It seemed to work correctly. <code snippet> bzgrep -e auth=0/1 "/var/log/maillog" | sed 's/.*\[\([^]]*\)\].*/\1/g' | sort -V | uniq > "/tmp/Bad_IP.txt" </code snippet> -- Jerry
pgp67o4UqIITC.pgp
Description: OpenPGP digital signature
