1 <!-- @(#) $Id: ./etc/rules/sendmail_rules.xml, 2011/09/08 dcid Exp $
3 - Official sendmail rules for OSSEC.
5 - Author: Daniel B. Cid
6 - License: http://www.ossec.net/en/licensing.html
10 <group name="syslog,sendmail,">
11 <rule id="3100" level="0">
12 <decoded_as>sendmail-reject</decoded_as>
13 <description>Grouping of the sendmail rules.</description>
16 <rule id="3101" level="0" noalert="1">
18 <match>reject=</match>
19 <description>Grouping of the sendmail reject rules.</description>
22 <rule id="3102" level="5">
24 <match>reject=451 4.1.8 </match>
25 <description>Sender domain does not have any valid </description>
26 <description>MX record (Requested action aborted).</description>
30 <rule id="3103" level="6">
32 <match>reject=550 5.0.0 |reject=553 5.3.0</match>
33 <description>Rejected by access list </description>
34 <description>(55x: Requested action not taken).</description>
38 <rule id="3104" level="6">
40 <match>reject=550 5.7.1 </match>
41 <description>Attempt to use mail server as relay </description>
42 <description>(550: Requested action not taken).</description>
46 <rule id="3105" level="5">
48 <match>reject=553 5.1.8 </match>
49 <description>Sender domain is not found </description>
50 <description> (553: Requested action not taken).</description>
54 <rule id="3106" level="5">
56 <match>reject=553 5.5.4 </match>
57 <description>Sender address does not have domain </description>
58 <description>(553: Requested action not taken).</description>
62 <rule id="3107" level="4">
64 <description>Sendmail rejected message.</description>
67 <rule id="3108" level="6">
69 <match>rejecting commands from</match>
70 <description>Sendmail rejected due to pre-greeting.</description>
74 <rule id="3109" level="8">
76 <match>savemail panic</match>
77 <description>Sendmail save mail panic.</description>
78 <group>system_error,</group>
81 <rule id="3151" level="10" frequency="6" timeframe="120">
82 <if_matched_sid>3102</if_matched_sid>
84 <description>Sender domain has bogus MX record. </description>
85 <description>It should not be sending e-mail.</description>
86 <group>multiple_spam,</group>
89 <rule id="3152" level="6" frequency="6" timeframe="120">
90 <if_matched_sid>3103</if_matched_sid>
92 <description>Multiple attempts to send e-mail from a </description>
93 <description>previously rejected sender (access).</description>
94 <group>multiple_spam,</group>
97 <rule id="3153" level="6" frequency="6" timeframe="120">
98 <if_matched_sid>3104</if_matched_sid>
100 <description>Multiple relaying attempts of spam.</description>
101 <group>multiple_spam,</group>
104 <rule id="3154" level="10" frequency="6" timeframe="120">
105 <if_matched_sid>3105</if_matched_sid>
107 <description>Multiple attempts to send e-mail </description>
108 <description>from invalid/unknown sender domain.</description>
109 <group>multiple_spam,</group>
112 <rule id="3155" level="10" frequency="6" timeframe="120">
113 <if_matched_sid>3106</if_matched_sid>
115 <description>Multiple attempts to send e-mail from </description>
116 <description>invalid/unknown sender.</description>
117 <group>multiple_spam,</group>
120 <rule id="3156" level="10" frequency="10" timeframe="120">
121 <if_matched_sid>3107</if_matched_sid>
123 <description>Multiple rejected e-mails from same source ip.</description>
124 <group>multiple_spam,</group>
127 <rule id="3158" level="10" frequency="6" timeframe="120">
128 <if_matched_sid>3108</if_matched_sid>
130 <description>Multiple pre-greetings rejects.</description>
131 <group>multiple_spam,</group>
135 <!-- Rules for SMF-SAV -->
136 <rule id="3190" level="0">
137 <decoded_as>smf-sav-reject</decoded_as>
138 <description>Grouping of the smf-sav sendmail milter rules.</description>
139 <group>smf-sav,</group>
142 <rule id="3191" level="6">
143 <if_sid>3190</if_sid>
144 <match>^sender check failed|^sender check tempfailed</match>
145 <description>SMF-SAV sendmail milter unable to verify </description>
146 <description>address (REJECTED).</description>
147 <group>smf-sav,spam,</group>
150 </group> <!-- SYSLOG,SENDMAIL -->