Additional exim regexes to cover common attacks...

2016-03-21 05:59:59 +00:00 · 2016-03-21 05:59:59 +00:00 · fe1475be95
parent bfac42eb2e
commit fe1475be95
1 changed files with 8 additions and 4 deletions
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@ -18,6 +18,9 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|
            ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
            ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
+            ^%(pid)s SMTP protocol error in "AUTH LOGIN(| \S*)" H=\(\S*\) \[<HOST>\]\:\d+ I=\[\S*\]\:\d+ AUTH command used when not advertised\s*$
+            ^%(pid)s no MAIL in SMTP connection from (|\S* )\[<HOST>\]\:\d+ I=\[\S*\]\:\d+ D=\d+s(| C=\S*)\s*$
+            ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\))\[<HOST>\]\:\d+ I=\[\S*\]\:\d+ closed by DROP in ACL\s*$

 ignoreregex = 

@ -30,3 +33,4 @@ ignoreregex =
 #
 # Author: Cyril Jaquier
 #         Daniel Black (rewrote with strong regexs)
+#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)