The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Script Help: How to only get text between "[" and "]" on lines within a log file?

Discussion in 'General Discussion' started by nat, Sep 10, 2004.

  1. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    Someone is sending e-mail to

    aaaa@mydomain.com
    aaab@mydomain.com
    aaac@mydomain.com
    ....etc
    aaba@mydomain.com
    aabb@mydomain.com
    ....and so on.....

    This is INCOMING e-mail to the server. Not outgoing.

    The person doing this is using about 200 unique IPs every day.

    It is causing a high load on the server Even when I use :blackhole:

    If I could only get the ip addresses between the [ and ] from each line that contains the phrase "spam trap" in exim_mainlog, I could do the rest of the script that will automaticly block these IPs for me.


    Example:
    2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabd@mydomai.com>: you have sent e-mail to a spam trap. your e-mail has been discarded.

    2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.196] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabe@mydomai.com>: you have sent e-mail to a spam trap. your e-mail has been discarded.


    I need to be able to get the 201.135.79.196 between the [ and ] and ignore the rest? Can anyone help with a comand that can do this?




    PS:

    I am already using the following RBL's:
    sbl-xbl.spamhaus.org
    bl.spamcop.net
    relays.ordb.org
    cbl.abuseat.org
    blackholes.mail-abuse.org
    spam.dnsrbl.net
    opm.blitzed.org
    brazil.blackholes.us
    malaysia.blackholes.us
    china.blackholes.us
     
  2. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    How about something like this

    Code:
    #!/usr/local/bin/php
    
    <?
    // read from stdin (could be a filter)
    // Get the IP address from the folloowing line
    //2004-09-10 05:13:40 H=(dsl-201-135-79-196.prod-infinitum.com.mx) [201.135.79.19
    6] F=<mrebfuzbtrf@excite.it> rejected RCPT <nabe@mydomai.com>: you have sent e-ma
    il to a spam trap. your e-mail has been discarded.
    
    
    $fd = fopen("php://stdin", "r");
    $email = "";
    while (!feof($fd)) {
        $email .= fread($fd, 1024);
    }
    fclose($fd);
    
    $SUB = strstr($email, "RCPT");          // find the line we need
    $S = explode("]",$email);               // get everything before the ]
    $IP = explode("[",$S[0]);               // get everything before after the [
    
    echo $IP[1];                            // echo just the IP addres
    ?>
    
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The following one liner will do it:

    grep "rejected RCPT" /var/log/exim_mainlog | grep -P "\d+\.\d+\.\d+\.\d+" -o

    A better bet, though, would be to install a dictionary attack ACL (and switch to :fail: instead of :blackhole:):
    http://www.webumake.com/free/eximdeny.htm
     
    #3 chirpy, Sep 10, 2004
    Last edited: Sep 10, 2004
  4. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page