Mike Leone on 18 Jan 2007 15:43:01 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Need some help with a regex for a logcheck rule ..


So I get lots and lots of messages in my mail log at work, like this:

-----------------------------------------------------------------------
Jan 18 07:02:09 cliff-claven postfix/smtpd[15446]: NOQUEUE: reject: RCPT
from 215.red-62-57-11.user.auna.net[62.57.11.215]: 554 5.7.1
<vivrusse@contributionship.com>: Recipient address rejected: Access denied;
from=<aatamykni@radiant.net> to=<vivrusse@contributionship.com> proto=SMTP
helo=<radiant.net>

Jan 18 07:02:12 cliff-claven postfix/smtpd[15425]: NOQUEUE: reject: RCPT
from unknown[124.29.216.170]: 554 5.7.1 <cuevasmac@contributionship.com>:
Recipient address rejected: Access denied; from=<nats@kali.it>
to=<cuevasmac@contributionship.com> proto=SMTP helo=<kali.it>
-----------------------------------------------------------------------

These are all email attempts to non-existent users, probably sent from virus
infected machines or spammers. So many, in fact, that I can't find anything
else in the log easily. So I'd like to tell logcheck to ignore any of these
messages that have "Recipient address rejected: Access denied;" in them.

But my regex knowledge is ... let's charitably call it almost non-existent.
:-) From samples, I've come up with something that I think will partially
work.

^\w{3} [ :0-9]{11} cliff-clavin postfix/smptd\[[0-9]+\]: NOQUEUE: reject:
RCPT from.$

This will ignore ALL "NOQUEUE: reject:" messages in my mail log, I think.
Yes?

I guess I should just be ignoring the "Recipient address rejected: Access
denied;" ones. But I don't know how to phrase that.

Can anybody lend a hand?

Thanks

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug