[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Postfix rule

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Postfix rule
From: Jorge Augusto Senger <jorge@xxxxxxxxxxx>
Date: Wed, 14 Jun 2006 08:46:41 -0300

Daniel,

The error id of this rules, for me, is 550.

Here are some logs:

postfix/smtpd[3881]: NOQUEUE: reject: RCPT from gwfm-2-124.802.cz[213.194.250.124]: 550 Service unavailable; Client host [213.194.250.124] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?213.194.250.124; from=<gjxruva@xxxxxxxxxxxxxxxxxxxxxx> to=<mgoedmakers@xxxxxxxxxxx> proto=SMTP helo=<pc-8kdj3ks8ni40.802.cz>
postfix/smtpd[3881]: NOQUEUE: reject: RCPT from gwfm-2-124.802.cz[213.194.250.124]: 550 Service unavailable; Client host [213.194.250.124] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?213.194.250.124; from=<gjxruva@xxxxxxxxxxxxxxxxxxxxxx> to=<mgoef@xxxxxxxxxxx> proto=SMTP helo=<pc-8kdj3ks8ni40.802.cz>


postfix/smtpd[3994]: NOQUEUE: reject: RCPT from 201-41-125-39.gnace703.dsl.brasiltelecom.net.br[201.41.125.39]: 550 Service unavailable; Client host [201.41.125.39] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?201.41.125.39; from=<rxbb_gxlj_a_e_r@xxxxxxxxxxx> to=<lrocha@xxxxxxxxxxx> proto=SMTP helo=<n?is_?_macho>
postfix/smtpd[3994]: NOQUEUE: reject: RCPT from 201-41-125-39.gnace703.dsl.brasiltelecom.net.br[201.41.125.39]: 550 Service unavailable; Client host [201.41.125.39] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?201.41.125.39; from=<rxbb_gxlj_a_e_r@xxxxxxxxxxx> to=<lcaldas@xxxxxxxxxxx> proto=SMTP helo=<n?is_?_macho>


Jorge

Daniel Cid wrote:

>Hi Jorge,
>
>Great rule! Do you have some log samples for them? I'm just wondering
>if the error id for them is "554". I also get a lot of these messages:
>
>"554 Service unavailable; Client host [a.b.c.d] blocked using
>sbl-xbl.spamhaus.org;"
>
>And we could reuse them if the error ID is the same...
>
>Thanks,
>
>--
>Daniel B. Cid
>dcid @ ( at ) ossec.net
>
>On 6/12/06, Jorge Augusto Senger <jorge@xxxxxxxxxxx> wrote:
>  
>
>>A postfix rule that I use on my ossec.
>>This is very useful for mail servers using black-lists for anti-spam.
>>
>>postfix_rules.xml
>>
>>------------------------------------------------------------------------
>>
>>  <rule id="6010" level="5">
>>    <if_sid>6000</if_sid>
>>    <regex>blocked using cbl.abuseat.org</regex>
>>    <description>Blocked using cbl </description>
>>  </rule>
>>  <rule id="6011" level="5">
>>    <if_sid>6000</if_sid>
>>    <regex>blocked using bl.spamcop.net</regex>
>>    <description>Blocked using spamcop </description>
>>  </rule>
>>  <rule id="6061" level="10" frequency="$POSTFIX_FREQ" timeframe="45">
>>    <if_matched_sid>6011</if_matched_sid>
>>    <same_source_ip />
>>    <description>IP address black-listed (spamcop).</description>
>>  </rule>
>>
>>------------------------------------------------------------------------
>>
>>
>>Jorge
>>
>>    
>>
>
>>
>  
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] Example of bad matches...
  - From: Kayvan A. Sylvan
- [ossec-list] Postfix rule
  - From: Jorge Augusto Senger
- [ossec-list] Re: Postfix rule
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Is Active Response on "client" machine possible?
Next by Date: [ossec-list] Re: Is Active Response on "client" machine possible?
Previous by thread: [ossec-list] Re: Postfix rule
Next by thread: [ossec-list] Re: Example of bad matches...
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.