We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it is always a dictionary attack.
We also have a SPAM proxy (ASSP) that filters incoming mail before sending a connection to the mail server; the connections are for ports 25 and 587. The mail server logs these connections as: 11:01:16.678 4 SMTPI-022601([127.0.0.1]) rsp: 334 VXNlcm5hbWU6 When a spammer uses port 465, though, it bypasses the filter and connects to the mail server directly: 10:37:36.384 4 SMTPI-022587([176.111.173.47]) rsp: 334 VXNlcm5hbWU6 My question is: How do I create a regular expression that ignores the log entries with "127.0.0.1?" The current regex is: failregex = ^.*\[<HOST>\] .* 334 VXNlcm5hbWU6.* -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
