Thanks Jerry, That looks good.
----- Robert Chalmers https://robert-chalmers.uk https://robert-chalmers.com @R_A_Chalmers > On 6 Jul 2020, at 4:32 pm, Jerry <postfix-u...@seibercom.net> wrote: > > On Mon, 6 Jul 2020 11:06:17 -0400 (EDT), Wietse Venema stated: >> Robert Chalmers (Author): >>> >>> >>> Such as this one? >>> >>> Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from >>> unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=? >> >> Like Benny writes, you need to trigger on the auth=x/y part, not >> the client hostname. >> >> Wietse >> >>> So I have anyway written this to find them >>> sudo grep unknown /var/log/postfix.log | grep -E -o >>> "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq > output.txt >>> >>> Take out my own network and localhost etc, and put them into pfct?s >>> badguys >>> >>> works nicely. >>> >>> thanks >>> robert >>> >>> >>> >>>> On 6 Jul 2020, at 14:28, Wietse Venema <wie...@porcupine.org> >>>> wrote: >>>> >>>> auth= > > I was using this in a script I wrote. It seemed to work correctly. > > <code snippet> > bzgrep -e auth=0/1 "/var/log/maillog" | sed 's/.*\[\([^]]*\)\].*/\1/g' | sort > -V | uniq > "/tmp/Bad_IP.txt" > </code snippet> > > -- > Jerry > >
