Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Script Help: How to only get text between "[" and "]" on lines within a log file?

Discussion in 'General Discussion' started by nat, Sep 10, 2004.

  1. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    210
    Likes Received:
    0
    Trophy Points:
    166
    Someone is sending e-mail to

    aaaa@mydomain.com
    aaab@mydomain.com
    aaac@mydomain.com
    ....etc
    aaba@mydomain.com
    aabb@mydomain.com
    ....and so on.....

    This is INCOMING e-mail to the server. Not outgoing.

    The person doing this is using about 200 unique IPs every day.

    It is causing a high load on the server Even when I use :blackhole:

    If I could only get the ip addresses between the [ and ] from each line that contains the phrase "spam trap" in exim_mainlog, I could do the rest of the script that will automaticly block these IPs for me.


    Example:
    2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabd@mydomai.com>: you have sent e-mail to a spam trap. your e-mail has been discarded.

    2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabe@mydomai.com>: you have sent e-mail to a spam trap. your e-mail has been discarded.


    I need to be able to get the 201.135.79.196 between the [ and ] and ignore the rest? Can anyone help with a comand that can do this?




    PS:

    I am already using the following RBL's:
    sbl-xbl.spamhaus.org
    bl.spamcop.net
    relays.ordb.org
    cbl.abuseat.org
    blackholes.mail-abuse.org
    spam.dnsrbl.net
    opm.blitzed.org
    brazil.blackholes.us
    malaysia.blackholes.us
    china.blackholes.us
     
  2. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    510
    Likes Received:
    5
    Trophy Points:
    168
    How about something like this

    Code:
    #!/usr/local/bin/php
    
    <?
    // read from stdin (could be a filter)
    // Get the IP address from the folloowing line
    //2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.19
    6] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabe@mydomai.com>: you have sent e-ma
    il to a spam trap. your e-mail has been discarded.
    
    
    $fd = fopen("php://stdin", "r");
    $email = "";
    while (!feof($fd)) {
        $email .= fread($fd, 1024);
    }
    fclose($fd);
    
    $SUB = strstr($email, "RCPT");          // find the line we need
    $S = explode("]",$email);               // get everything before the ]
    $IP = explode("[",$S[0]);               // get everything before after the [
    
    echo $IP[1];                            // echo just the IP addres
    ?>
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    The following one liner will do it:

    grep "rejected RCPT" /var/log/exim_mainlog | grep -P "\d+\.\d+\.\d+\.\d+" -o

    A better bet, though, would be to install a dictionary attack ACL (and switch to :fail: instead of :blackhole:):
    http://www.webumake.com/free/eximdeny.htm
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 chirpy, Sep 10, 2004
    Last edited: Sep 10, 2004
  4. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    210
    Likes Received:
    0
    Trophy Points:
    166
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice