That’s pretty good Jerry, thanks.
A much reduced list of bad ips
robert
> On 6 Jul 2020, at 16:31, Jerry <postfix-u...@seibercom.net> wrote:
>
> On Mon, 6 Jul 2020 11:06:17 -0400 (EDT), Wietse Venema stated:
>> Robert Chalmers (Author):
>>>
>>>
>>> Such as this one?
>>>
>>> Jul 06 08:10:03 www postfix/smtpd[6155]: disconnect from
>>> unknown[45.125.65.52] ehlo=1 auth=0/1 quit=1 commands=?
>>
>> Like Benny writes, you need to trigger on the auth=x/y part, not
>> the client hostname.
>>
>> Wietse
>>
>>> So I have anyway written this to find them
>>> sudo grep unknown /var/log/postfix.log | grep -E -o
>>> "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq > output.txt
>>>
>>> Take out my own network and localhost etc, and put them into pfct?s
>>> badguys
>>>
>>> works nicely.
>>>
>>> thanks
>>> robert
>>>
>>>
>>>
>>>> On 6 Jul 2020, at 14:28, Wietse Venema <wie...@porcupine.org>
>>>> wrote:
>>>>
>>>> auth=
>
> I was using this in a script I wrote. It seemed to work correctly.
>
> <code snippet>
> bzgrep -e auth=0/1 "/var/log/maillog" | sed 's/.*\[\([^]]*\)\].*/\1/g' | sort
> -V | uniq > "/tmp/Bad_IP.txt"
> </code snippet>
>
> --
> Jerry
>
>
