User Tools

Site Tools


reference:ids_event_number

IDS Log Event Numbers

The VPOP3 SMTP IDS logging facility logs SMTP events in a form which may be useful to Intrusion Protection Systems, or security monitoring software.

One of the fields in the log file is the Log Event Number

These are:

  • 0 = SMTP authentication failure
  • 1 = Relay denied
  • 2 = Relay allowed (not bad in itself, but a large number may indicate an open relay or spambot, etc)
  • 3 = Bad local recipient
  • 4 = Good local recipient (not bad in itself, but a large number may indicate a spammer)
  • 5 = Message detected as spam
  • 6 = Message detected as containing a virus
  • 7 = SMTP Rule matched
  • 8 = Realtime DNS Blacklist match
  • 9 = SMTP Syntax error (commonly spam software is badly written, so these can happen if error handling is poor in the sending software)
  • 10 = Message is bigger than the maximum size limit specified in VPOP3
  • 11 = Message contained a filtered attachment
  • 12 = Message contained a partial attachment (these are often an indication of something trying to bypass virus scanners)
  • 900 = IP address blocked
reference/ids_event_number.txt · Last modified: 2018/11/14 10:45 (external edit)