Hi Jorge, Great rule! Do you have some log samples for them? I'm just wondering if the error id for them is "554". I also get a lot of these messages:
"554 Service unavailable; Client host [a.b.c.d] blocked using sbl-xbl.spamhaus.org;" And we could reuse them if the error ID is the same... Thanks, -- Daniel B. Cid dcid @ ( at ) ossec.net On 6/12/06, Jorge Augusto Senger <[EMAIL PROTECTED]> wrote: > > A postfix rule that I use on my ossec. > This is very useful for mail servers using black-lists for anti-spam. > > postfix_rules.xml > > ------------------------------------------------------------------------ > > <rule id="6010" level="5"> > <if_sid>6000</if_sid> > <regex>blocked using cbl.abuseat.org</regex> > <description>Blocked using cbl </description> > </rule> > <rule id="6011" level="5"> > <if_sid>6000</if_sid> > <regex>blocked using bl.spamcop.net</regex> > <description>Blocked using spamcop </description> > </rule> > <rule id="6061" level="10" frequency="$POSTFIX_FREQ" timeframe="45"> > <if_matched_sid>6011</if_matched_sid> > <same_source_ip /> > <description>IP address black-listed (spamcop).</description> > </rule> > > ------------------------------------------------------------------------ > > > Jorge > > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
