> has you set 'MSGIDpreTag' and 'MSGIDSec' ? > > Both have to be set! The default value is NOT valid for 'MSGIDSec'!
good point; also, if the customer is also *sending* out emails through ASSP, it may be a good idea enabling the outbound rate limiter, that is setting appropriate values for LocalFrequencyInt/LocalFrequencyNumRcpt (and possibly for NoLocalFrequency *or* LocalFrequencyOnly not both); in my experience the limiter greatly helps finding sudden "outbound emails flurries" which are often caused by compromised boxes (or either by regular users thinking that mass-mailing is cool :P) For a starter, you may try setting up the following LocalFrequencyInt := 1800 LocalFrequencyNumRcpt := 120 then populate EITHER the NoLocalFrequency or LocalFrequencyOnly with something like file:files/nolocalfreq.txt of file:files/localfreq.txt and edit the file populating it with the desired recipients; I use the first one and populated the file with addresses beloning to mailing lists or newsletter, but if you prefer you may use the second one and just insert into it the sender addresses which you want to "monitor"; in either case, you'll then get back an alert in case someone sends out more than 120 messages in 1800 seconds (you may fine tune those values, but they are usually a good starting point) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
