--- /dev/null
+<!-- @(#) $Id: ./etc/rules/mailscanner_rules.xml, 2011/09/08 dcid Exp $
+
+ - Example of MailScanner rules for OSSEC.
+ -
+ - Copyright (C) 2009 Trend Micro Inc.
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<group name="syslog,mailscanner,">
+ <rule id="3700" level="0">
+ <decoded_as>mailscanner</decoded_as>
+ <description>Grouping of mailscanner rules.</description>
+ </rule>
+
+ <rule id="3701" level="0">
+ <if_sid>3700</if_sid>
+ <action>not</action>
+ <description>Non spam message. Ignored.</description>
+ </rule>
+
+ <rule id="3702" level="5">
+ <if_sid>3700</if_sid>
+ <action>spam</action>
+ <description>Mail Scanner spam detected.</description>
+ <group>spam,</group>
+ </rule>
+
+ <rule id="3751" level="6" frequency="6" timeframe="180">
+ <if_matched_sid>3702</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple attempts of spam.</description>
+ <group>multiple_spam,</group>
+ </rule>
+
+ <rule id="3752" level="0">
+ <if_sid>1002</if_sid>
+ <program_name>update.bad.phishing.sites</program_name>
+ <match>^Phishing bad sites list updated</match>
+ <description>ignore</description>
+ </rule>
+
+</group> <!-- SYSLOG,MAILSCANNER -->
+