JonTheWong · June 17, 2018 20:04
diff --git a/regex.custom.pm exim rfc b/regex.custom.pm exim rfc
 This is a small script to block RFC invalid HELO for EXIM based on the popular linux firewall tool called CSF

 # Exim_RFC
        if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\]:.* rejected MAIL <.*>: Access denied - Invalid HELO name \(See RFC2821 .*\)$/)) {
                        return ("EXIM RFC Hit from",$1,"EXIMRFC","1","25;tcp,465;tcp,587;tcp","3600");
                }
 # Exim_SyncIP
        if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\A\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s\w{4}\s\w{8}\s\w{15}\s\w{5}\s\(\w{5}\s\w{4}\s\w{7}\s\w{7}\s\w{3}\s\w{8}\)\:\s\w{8}\s\w{10}\s\w{4}\sH\=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\S{1,255}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\S{1,4}\:\S{1,4}\:\S{1,4}\:\:\S{1,4})\]\:\d{1,5}\s\w{5}\=\".{0,514}\"$/)) {
                        return ("EXIM SYNCIP Hit from",$1,"EXIMSYNCIP","3","25;tcp,465;tcp,587;tcp","3600");
                }
 # Exim_SyncHOST
        if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\A\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s\w{4}\s\w{8}\s\w{15}\s\w{5}\s\(\w{5}\s\w{4}\s\w{7}\s\w{7}\s\w{3}\s\w{8}\)\:\s\w{8}\s\w{10}\s\w{4}\sH\=.{1,}\s\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\:\d{3,5}\s\w{5}\=\".{0,514}\"$/)) {
                        return ("EXIM SYNCHOST Hit from",$1,"EXIMSYNCHOST","3","25;tcp,465;tcp,587;tcp","3600");
                }

 This code should find all matches and block ports tcp 25,465,587 for an hour (3600).
 RFC is a basic reg to block invalid RFC hists
 SyncIP & SyncHost are made to block: SMTP protocol synchronization error (input sent without waiting for greeting)

 Here are the logs that and regex links;

 http://rubular.com/r/tyt3QlY3Mi
 http://rubular.com/r/c6ZmlxRMuP

 Original forum posts are here
 http://forum.configserver.com/viewtopic.php?f=6&t=7151&p=25450#p25450


 Updated

 June 17th - Added IP/Host Sync blocking
	This is a small script to block RFC invalid HELO for EXIM based on the popular linux firewall tool called CSF

	# Exim_RFC
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\]:.* rejected MAIL <.>: Access denied - Invalid HELO name \(See RFC2821 .\)$/)) {
	return ("EXIM RFC Hit from",$1,"EXIMRFC","1","25;tcp,465;tcp,587;tcp","3600");
	}
	# Exim_SyncIP
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\A\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s\w{4}\s\w{8}\s\w{15}\s\w{5}\s\(\w{5}\s\w{4}\s\w{7}\s\w{7}\s\w{3}\s\w{8}\)\:\s\w{8}\s\w{10}\s\w{4}\sH\=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\S{1,255}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|\S{1,4}\:\S{1,4}\:\S{1,4}\:\:\S{1,4})\]\:\d{1,5}\s\w{5}\=\".{0,514}\"$/)) {
	return ("EXIM SYNCIP Hit from",$1,"EXIMSYNCIP","3","25;tcp,465;tcp,587;tcp","3600");
	}
	# Exim_SyncHOST
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\A\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s\w{4}\s\w{8}\s\w{15}\s\w{5}\s\(\w{5}\s\w{4}\s\w{7}\s\w{7}\s\w{3}\s\w{8}\)\:\s\w{8}\s\w{10}\s\w{4}\sH\=.{1,}\s\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\:\d{3,5}\s\w{5}\=\".{0,514}\"$/)) {
	return ("EXIM SYNCHOST Hit from",$1,"EXIMSYNCHOST","3","25;tcp,465;tcp,587;tcp","3600");
	}

	This code should find all matches and block ports tcp 25,465,587 for an hour (3600).
	RFC is a basic reg to block invalid RFC hists
	SyncIP & SyncHost are made to block: SMTP protocol synchronization error (input sent without waiting for greeting)

	Here are the logs that and regex links;

	http://rubular.com/r/tyt3QlY3Mi
	http://rubular.com/r/c6ZmlxRMuP

	Original forum posts are here
	http://forum.configserver.com/viewtopic.php?f=6&t=7151&p=25450#p25450


	Updated

	June 17th - Added IP/Host Sync blocking