nice, thanks.
as a gift, here the decoder and the rule for "Pre greeting logs" :
--
Oct 11 16:26:20 shax sm-mta[23868]: k9BEQK0c023868: rejecting commands
from [200.121.73.169] [200.121.73.169] due to pre-greeting traffic
--
<decoder name="sendmail-reject-greeting-dns">
<parent>sendmail-reject</parent>
<prematch offset="after_parent">from \S+ [</prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+)] due to pre-greeting
traffic</regex>
<order>srcip</order>
</decoder>
<decoder name="sendmail-reject-greeting-nodns">
<parent>sendmail-reject</parent>
<prematch offset="after_parent">from [</prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+)] due to pre-greeting
traffic</regex>
<order>srcip</order>
</decoder>
<rule id="103108" level="7">
<if_sid>3100</if_sid>
<regex>due to pre-greeting traffic</regex>
<description>Anti-flood warning</description>
</rule>
<rule id="103158" level="10" frequency="6" timeframe="120">
<if_matched_sid>103108</if_matched_sid>
<same_source_ip />
<description>Multiple pre-greetings reject - Hammering ?</description>
</rule>
PS : I'm not completely sure about the decoder part, but it looks like
working.
