I noticed ossec has some basic sendmail rules installed. I was wondering if anyone has gone beyond this basic functionality to create active response to detect and block spam attacks and if so if there is any good repository of info.
For example, you can configure sendmail to log the subject of messages in syslog. Armed with that info together with the srcip, ossec should be able to detect zombie spam attacks by matching the subject against a wide range of IPs and multiple user unknown errors in a given time span. Then an active response can be setup to blacklist those IPs for a given time period. I have read a few people trying to incorporate qmail logs into ossec. Qmail logs are like the worst written logs in the world, IMHO. You typically need a 3rd party app like qmhandle to get any decent info from qmail logs. It would be nice for ossec to incorporate qmail log analysis in future versions for active response purposes.
