On Wed, Jun 28, 2006 at 07:23:49AM +1200, Steve Holdoway wrote:
> Jun 28 06:02:18 server sm-mta[7813]: k5RI2I6g007813:
> 23-52-175-62.user.auna.net [62.175.52.23] (may be forged) did not issue
> MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> I added the following line to /etc/logcheck/ignore.d.server/sendmail:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]:
> [[:alnum:]]+:.*did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$
Your regexp looks fine. Try using egrep to run that pattern over the
original log file and confirm that it matches; if it does then you have
uncovered a class of match that logcheck is overriding - a common place
for that to occur is in the attack definitions.
-jim
