Script Help: How to only get text between "[" and "]" on lines within a log file?

nat

Well-Known Member
Jan 16, 2003
210
0
166
Someone is sending e-mail to

[email protected]
[email protected]
[email protected]
....etc
[email protected]
[email protected]
....and so on.....

This is INCOMING e-mail to the server. Not outgoing.

The person doing this is using about 200 unique IPs every day.

It is causing a high load on the server Even when I use :blackhole:

If I could only get the ip addresses between the [ and ] from each line that contains the phrase "spam trap" in exim_mainlog, I could do the rest of the script that will automaticly block these IPs for me.


Example:
2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<[email protected]> rejected RCPT <[email protected]>: you have sent e-mail to a spam trap. your e-mail has been discarded.

2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<[email protected]> rejected RCPT <[email protected]>: you have sent e-mail to a spam trap. your e-mail has been discarded.


I need to be able to get the 201.135.79.196 between the [ and ] and ignore the rest? Can anyone help with a comand that can do this?




PS:

I am already using the following RBL's:
sbl-xbl.spamhaus.org
bl.spamcop.net
relays.ordb.org
cbl.abuseat.org
blackholes.mail-abuse.org
spam.dnsrbl.net
opm.blitzed.org
brazil.blackholes.us
malaysia.blackholes.us
china.blackholes.us
 

asmithjr

Well-Known Member
Jun 13, 2003
516
8
168
How about something like this

Code:
#!/usr/local/bin/php

<?
// read from stdin (could be a filter)
// Get the IP address from the folloowing line
//2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.19
6] F=<[email protected]> rejected RCPT <[email protected]>: you have sent e-ma
il to a spam trap. your e-mail has been discarded.


$fd = fopen("php://stdin", "r");
$email = "";
while (!feof($fd)) {
    $email .= fread($fd, 1024);
}
fclose($fd);

$SUB = strstr($email, "RCPT");          // find the line we need
$S = explode("]",$email);               // get everything before the ]
$IP = explode("[",$S[0]);               // get everything before after the [

echo $IP[1];                            // echo just the IP addres
?>
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
The following one liner will do it:

grep "rejected RCPT" /var/log/exim_mainlog | grep -P "\d+\.\d+\.\d+\.\d+" -o

A better bet, though, would be to install a dictionary attack ACL (and switch to :fail: instead of :blackhole:):
http://www.webumake.com/free/eximdeny.htm
 
Last edited: