Daniel, The error id of this rules, for me, is 550.
Here are some logs: postfix/smtpd[3881]: NOQUEUE: reject: RCPT from gwfm-2-124.802.cz[213.194.250.124]: 550 Service unavailable; Client host [213.194.250.124] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?213.194.250.124; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<pc-8kdj3ks8ni40.802.cz> postfix/smtpd[3881]: NOQUEUE: reject: RCPT from gwfm-2-124.802.cz[213.194.250.124]: 550 Service unavailable; Client host [213.194.250.124] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?213.194.250.124; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<pc-8kdj3ks8ni40.802.cz> postfix/smtpd[3994]: NOQUEUE: reject: RCPT from 201-41-125-39.gnace703.dsl.brasiltelecom.net.br[201.41.125.39]: 550 Service unavailable; Client host [201.41.125.39] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?201.41.125.39; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<n?is_?_macho> postfix/smtpd[3994]: NOQUEUE: reject: RCPT from 201-41-125-39.gnace703.dsl.brasiltelecom.net.br[201.41.125.39]: 550 Service unavailable; Client host [201.41.125.39] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?201.41.125.39; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=SMTP helo=<n?is_?_macho> Jorge Daniel Cid wrote: >Hi Jorge, > >Great rule! Do you have some log samples for them? I'm just wondering >if the error id for them is "554". I also get a lot of these messages: > >"554 Service unavailable; Client host [a.b.c.d] blocked using >sbl-xbl.spamhaus.org;" > >And we could reuse them if the error ID is the same... > >Thanks, > >-- >Daniel B. Cid >dcid @ ( at ) ossec.net > >On 6/12/06, Jorge Augusto Senger <[EMAIL PROTECTED]> wrote: > > >>A postfix rule that I use on my ossec. >>This is very useful for mail servers using black-lists for anti-spam. >> >>postfix_rules.xml >> >>------------------------------------------------------------------------ >> >> <rule id="6010" level="5"> >> <if_sid>6000</if_sid> >> <regex>blocked using cbl.abuseat.org</regex> >> <description>Blocked using cbl </description> >> </rule> >> <rule id="6011" level="5"> >> <if_sid>6000</if_sid> >> <regex>blocked using bl.spamcop.net</regex> >> <description>Blocked using spamcop </description> >> </rule> >> <rule id="6061" level="10" frequency="$POSTFIX_FREQ" timeframe="45"> >> <if_matched_sid>6011</if_matched_sid> >> <same_source_ip /> >> <description>IP address black-listed (spamcop).</description> >> </rule> >> >>------------------------------------------------------------------------ >> >> >>Jorge >> >> >> > >> > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
