etc/rules/sendmail_rules.xml

   1 <!-- @(#) $Id: ./etc/rules/sendmail_rules.xml, 2011/09/08 dcid Exp $
   2
   3   -  Official sendmail rules for OSSEC.
   4   -  Author: Ahmet Ozturk
   5   -  Author: Daniel B. Cid
   6   -  License: http://www.ossec.net/en/licensing.html
   7   -->
   8
   9
  10 <group name="syslog,sendmail,">
  11   <rule id="3100" level="0">
  12     <decoded_as>sendmail-reject</decoded_as>
  13     <description>Grouping of the sendmail rules.</description>
  14   </rule>
  15
  16   <rule id="3101" level="0" noalert="1">
  17     <if_sid>3100</if_sid>
  18     <match>reject=</match>
  19     <description>Grouping of the sendmail reject rules.</description>
  20   </rule>
  21
  22   <rule id="3102" level="5">
  23     <if_sid>3101</if_sid>
  24     <match>reject=451 4.1.8 </match>
  25     <description>Sender domain does not have any valid </description>
  26     <description>MX record (Requested action aborted).</description>
  27     <group>spam,</group>
  28   </rule>
  29
  30   <rule id="3103" level="6">
  31     <if_sid>3101</if_sid>
  32     <match>reject=550 5.0.0 |reject=553 5.3.0</match>
  33     <description>Rejected by access list </description>
  34     <description>(55x: Requested action not taken).</description>
  35     <group>spam,</group>
  36   </rule>
  37
  38   <rule id="3104" level="6">
  39     <if_sid>3101</if_sid>
  40     <match>reject=550 5.7.1 </match>
  41     <description>Attepmt to use mail server as relay </description>
  42     <description>(550: Requested action not taken).</description>
  43     <group>spam,</group>
  44   </rule>
  45
  46   <rule id="3105" level="5">
  47     <if_sid>3101</if_sid>
  48     <match>reject=553 5.1.8 </match>
  49     <description>Sender domain is not found </description>
  50     <description> (553: Requested action not taken).</description>
  51     <group>spam,</group>
  52   </rule>
  53
  54   <rule id="3106" level="5">
  55     <if_sid>3101</if_sid>
  56     <match>reject=553 5.5.4 </match>
  57     <description>Sender address does not have domain </description>
  58     <description>(553: Requested action not taken).</description>
  59     <group>spam,</group>
  60   </rule>
  61
  62   <rule id="3107" level="4">
  63     <if_sid>3101</if_sid>
  64     <description>Sendmail rejected message.</description>
  65   </rule>
  66
  67   <rule id="3108" level="6">
  68     <if_sid>3100</if_sid>
  69     <match>rejecting commands from</match>
  70     <description>Sendmail rejected due to pre-greeting.</description>
  71     <group>spam,</group>
  72   </rule>
  73
  74   <rule id="3109" level="8">
  75     <if_sid>3100</if_sid>
  76     <match>savemail panic</match>
  77     <description>Sendmail save mail panic.</description>
  78     <group>system_error,</group>
  79   </rule>
  80
  81   <rule id="3151" level="10" frequency="6" timeframe="120">
  82     <if_matched_sid>3102</if_matched_sid>
  83     <same_source_ip />
  84     <description>Sender domain has bogus MX record. </description>
  85     <description>It should not be sending e-mail.</description>
  86     <group>multiple_spam,</group>
  87   </rule>
  88
  89   <rule id="3152" level="6" frequency="6" timeframe="120">
  90     <if_matched_sid>3103</if_matched_sid>
  91     <same_source_ip />
  92     <description>Multiple attempts to send e-mail from a </description>
  93     <description>previously rejected sender (access).</description>
  94     <group>multiple_spam,</group>
  95   </rule>
  96
  97   <rule id="3153" level="6" frequency="6" timeframe="120">
  98     <if_matched_sid>3104</if_matched_sid>
  99     <same_source_ip />
 100     <description>Multiple relaying attempts of spam.</description>
 101     <group>multiple_spam,</group>
 102   </rule>
 103
 104   <rule id="3154" level="10" frequency="6" timeframe="120">
 105     <if_matched_sid>3105</if_matched_sid>
 106     <same_source_ip />
 107     <description>Multiple attempts to send e-mail </description>
 108     <description>from invalid/unknown sender domain.</description>
 109     <group>multiple_spam,</group>
 110   </rule>
 111
 112   <rule id="3155" level="10" frequency="6" timeframe="120">
 113     <if_matched_sid>3106</if_matched_sid>
 114     <same_source_ip />
 115     <description>Multiple attempts to send e-mail from </description>
 116     <description>invalid/unknown sender.</description>
 117     <group>multiple_spam,</group>
 118   </rule>
 119
 120   <rule id="3156" level="10" frequency="10" timeframe="120">
 121     <if_matched_sid>3107</if_matched_sid>
 122     <same_source_ip />
 123     <description>Multiple rejected e-mails from same source ip.</description>
 124     <group>multiple_spam,</group>
 125   </rule>
 126
 127   <rule id="3158" level="10" frequency="6" timeframe="120">
 128     <if_matched_sid>3108</if_matched_sid>
 129     <same_source_ip />
 130     <description>Multiple pre-greetings rejects.</description>
 131     <group>multiple_spam,</group>
 132   </rule>
 133
 134
 135    <!-- Rules for SMF-SAV -->
 136    <rule id="3190" level="0">
 137      <decoded_as>smf-sav-reject</decoded_as>
 138      <description>Grouping of the smf-sav sendmail milter rules.</description>
 139      <group>smf-sav,</group>
 140    </rule>
 141
 142    <rule id="3191" level="6">
 143      <if_sid>3190</if_sid>
 144      <match>^sender check failed|^sender check tempfailed</match>
 145      <description>SMF-SAV sendmail milter unable to verify </description>
 146      <description>address (REJECTED).</description>
 147      <group>smf-sav,spam,</group>
 148    </rule>
 149
 150 </group> <!-- SYSLOG,SENDMAIL -->