HIDS 171010

From Atomicorp Wiki
Jump to: navigation, search
Rule 171010
Status Active
Alert Message Multiple Rejected MAIL: Access Denied in 30 seconds from the same source.


[edit] Description

ASL does not cause this event to occur. ASL simply reports when it occurs.

This means that exim has rejected a mail connection, and has done so 8 or more times within 30 seconds, from the same IP.

[edit] Log examples

2014-01-01 10:10:10 H=(hostname) []:2039 rejected MAIL <username@example.com>: Access denied - Invalid HELO name (See RFC2821

[edit] Troubleshooting

[edit] Solutions

ASL does not cause this event to occur. ASL simply reports when it occurs. Disabling this rule will not prevent exim from blocking these connections, disabling this rule will only silence this alert. Exim is causing these blocks, and only configuring Exim will change this behavior of Exim. ASL does not manage or configure Exim. Please contact your mail server vendor for assistance if you do not know how to configure Exim, or contact our sales department and we can put a professional services quote together to assist you.

If you wish to prevent ASL from shunning on these events, simply set Active Response for the rule to off. This will of course not stop Exim from blocking these connections.

[edit] False Positives

None. Please do not report this as a false positive unless ASL is incorrectly reporting an event that is:

1) not exim


2) exim is not rejecting the connection

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


[edit] External Articles


Personal tools