User Tools

Site Tools


reference:ids_event_number

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

reference:ids_event_number [2018/11/14 10:45] (current)
Line 1: Line 1:
 +======IDS Log Event Numbers======
  
 +The VPOP3 [[smtp_ids_ips|SMTP IDS logging facility]] logs SMTP events in a form which may be useful to Intrusion Protection Systems, or security monitoring software.
 +
 +One of the fields in the log file is the **Log Event Number**
 +
 +These are:
 +
 +  * 0 = SMTP authentication failure
 +  * 1 = Relay denied
 +  * 2 = Relay allowed (not bad in itself, but a large number may indicate an open relay or spambot, etc)
 +  * 3 = Bad local recipient
 +  * 4 = Good local recipient (not bad in itself, but a large number may indicate a spammer)
 +  * 5 = Message detected as spam
 +  * 6 = Message detected as containing a virus
 +  * 7 = SMTP Rule matched
 +  * 8 = Realtime DNS Blacklist match
 +  * 9 = SMTP Syntax error (commonly spam software is badly written, so these can happen if error handling is poor in the sending software)
 +  * 10 = Message is bigger than the maximum size limit specified in VPOP3
 +  * 11 = Message contained a filtered attachment
 +  * 12 = Message contained a partial attachment (these are often an indication of something trying to bypass virus scanners)
 +  * 900 = IP address blocked
reference/ids_event_number.txt ยท Last modified: 2018/11/14 10:45 (external edit)