Sendmail-Log Pattern needed

Hi everyone,

currently a few persons try to hack into the system via smtp (running sendmail)

A line within the Logfiles looks like this:

Aug 21 14:05:48 marcel sendmail-in[14632]: m7LC5giG014632: [125.64.24.39]: possible SMTP attack: command=AUTH, count=3

The field "m7LC5giG014632" changes all the time, as this is the message-id..

Is there a pattern for this?

Would be great

Thanks in advance..

Marcel

here it is

This pattern will likely work (not tested). Note that since sendmail does not run under TCP_WRAPPERS, so will need to use the --ipblock option to block IP traffic from the host.

Example line:
# Aug 21 14:05:48 marcel sendmail-in[14632]: m7LC5giG014632: [10.64.24.39]: possible SMTP attack: command=AUTH, count=3

Pattern used:
    "sendmailin-Attack":
        r'{LOG_PREFIX{sendmail-in}}: \[{HOST_IP}]: possible SMTP attack: command=',