>Len: do you share your subscriber_networks.regexp as part of basic or
>advanced?
I posted it here. I'll post it again. I don't think I put in the basic set,
yet.
I did add to the basic the 4tuple and the helo_hostames.regexp
>Hate to spend all this time building mine if you share yours openly.
I need to merge the two big sites where I have it running, then I'll post
it here again. It about 350 lines. :))
In the meantime, you can add this at the bottom of whatever you have now,
which is what I use to try to catch the escapees:
/(.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}.*\..*\..*$)/ 554 ACL
mta_clients_subscriber_joker The IP address of your sending machine is on a
proscribed subscriber access network. Send from a non-subscriber network,
PTR = $1
/(.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*\..*\..*$)/ 554 ACL
mta_clients_subscriber_joker The IP address of your sending machine is on a
proscribed subscriber access network. Send from a non-subscriber network,
PTR = $1
/(.*[0-9]{2,3}\-[0-9]{2,3}.*)/ 554 ACL mta_clients_subscriber_joker2 The IP
address of your sending machine is on a proscribed subscriber access
network. Send from a non-subscriber network, PTR = $1
These lines exemplify the use to of "," in the custom text to get pflogsumm
to treat the fixed, pre-comma part as one reporting category, and ignore
the variable, post-comma part.
and if we all periodically egrep out the PTR hostnames from 4tuple line for
the previous 10 days, we can discover new subscriber nets that leak patch
the .regexp file.
Len
