Searching Dovecot REgex

Hello everybody,

currently i am getting slammed with POP3-Requests via Dovecot.

The Lines look like this:

May 12 00:16:36 pop10 dovecot: pop3-login: Disconnected: user=, method=PLAIN, rip=118.129.167.99, lip=188.40.105.124

The IP behind rip is the ip, which should get banned..

Is there anyone with an idea how to set up the regexp?

Thanks in advance..

Marcel

Use ENABLE_RULES

Dovecot pattern is already defined in the blockhosts.cfg - as long as you see the existing patterns
("Aborted login...") in your log file, the built-in pattern can be used.

It does have to be enabled though - see the ENABLE_RULES line in the .cfg file, or the --enable-rules command line option, using: blockhosts.py --help

Rules are enabled

Hi ac,

as you can see, i am not talking about "Aborted login" but talking bout "ovecot: pop3-login: Disconnected: user=, method=PLAIN, rip=118.129.167.99, lip=188.40.105.124"

These entries from this ip are bombed right into my mail.log..

Any ideas?

Thanks

Marcel

only that line?

So, there is only the disconnected line, and no Aborted message? Sounds strange, but I don't use dovecot, so not sure. In any case, that pattern looks very much like the existing patterns, so just a simple edit might work - not tested:

    "dovecot-LoginFailRipDisconnect":
        r'{LOG_PREFIX{dovecot}} pop3-login: Disconnected: .* rip={HOST_IP}',