So I get lots and lots of messages in my mail log at work, like this:
-----------------------------------------------------------------------
Jan 18 07:02:09 cliff-claven postfix/smtpd[15446]: NOQUEUE: reject: RCPT
from 215.red-62-57-11.user.auna.net[62.57.11.215]: 554 5.7.1
<vivrusse@contributionship.com>: Recipient address rejected: Access denied;
from=<aatamykni@radiant.net> to=<vivrusse@contributionship.com> proto=SMTP
helo=<radiant.net>
Jan 18 07:02:12 cliff-claven postfix/smtpd[15425]: NOQUEUE: reject: RCPT
from unknown[124.29.216.170]: 554 5.7.1 <cuevasmac@contributionship.com>:
Recipient address rejected: Access denied; from=<nats@kali.it>
to=<cuevasmac@contributionship.com> proto=SMTP helo=<kali.it>
-----------------------------------------------------------------------
These are all email attempts to non-existent users, probably sent from virus
infected machines or spammers. So many, in fact, that I can't find anything
else in the log easily. So I'd like to tell logcheck to ignore any of these
messages that have "Recipient address rejected: Access denied;" in them.
But my regex knowledge is ... let's charitably call it almost non-existent.
:-) From samples, I've come up with something that I think will partially
work.
^\w{3} [ :0-9]{11} cliff-clavin postfix/smptd\[[0-9]+\]: NOQUEUE: reject:
RCPT from.$
This will ignore ALL "NOQUEUE: reject:" messages in my mail log, I think.
Yes?
I guess I should just be ignoring the "Recipient address rejected: Access
denied;" ones. But I don't know how to phrase that.
Can anybody lend a hand?
Thanks
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug