Script Help: How to only get text between "[" and "]" on lines within a log file?

[nat]

Someone is sending e-mail to

aaaa@mydomain.com
aaab@mydomain.com
aaac@mydomain.com
....etc
aaba@mydomain.com
aabb@mydomain.com
....and so on.....

This is INCOMING e-mail to the server. Not outgoing.

The person doing this is using about 200 unique IPs every day.

It is causing a high load on the server Even when I use :blackhole:

If I could only get the ip addresses between the [ and ] from each line that contains the phrase "spam trap" in exim_mainlog, I could do the rest of the script that will automaticly block these IPs for me.


Example:
2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabd@mydomai.com>: you have sent e-mail to a spam trap. your e-mail has been discarded.

2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabe@mydomai.com>: you have sent e-mail to a spam trap. your e-mail has been discarded.


I need to be able to get the 201.135.79.196 between the [ and ] and ignore the rest? Can anyone help with a comand that can do this?




PS:

I am already using the following RBL's:
sbl-xbl.spamhaus.org
bl.spamcop.net
relays.ordb.org
cbl.abuseat.org
blackholes.mail-abuse.org
spam.dnsrbl.net
opm.blitzed.org
brazil.blackholes.us
malaysia.blackholes.us
china.blackholes.us

[asmithjr]

How about something like this

Code:

#!/usr/local/bin/php

<?
// read from stdin (could be a filter)
// Get the IP address from the folloowing line
//2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.19
6] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabe@mydomai.com>: you have sent e-ma
il to a spam trap. your e-mail has been discarded.


$fd = fopen("php://stdin", "r");
$email = "";
while (!feof($fd)) {
    $email .= fread($fd, 1024);
}
fclose($fd);

$SUB = strstr($email, "RCPT");          // find the line we need
$S = explode("]",$email);               // get everything before the ]
$IP = explode("[",$S[0]);               // get everything before after the [

echo $IP[1];                            // echo just the IP addres
?>

[chirpy]

The following one liner will do it:

grep "rejected RCPT" /var/log/exim_mainlog | grep -P "\d+\.\d+\.\d+\.\d+" -o

A better bet, though, would be to install a dictionary attack ACL (and switch to :fail: instead of :blackhole:):
http://www.webumake.com/free/eximdeny.htm

[nat]

Thanks all!

The Dictionary Deny ACL script at http://www.webumake.com/free/eximdeny.htm is doing the job nicely. 42 IPs blocked within the last 10 minutes or so.