Difference between revisions of "HIDS 171010"
(Created page with " {{Infobox |header1= Rule 171010 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Multiple Rejected MAIL: Access Denied in 30 seconds from the same source. }...") |
Latest revision as of 11:28, 5 September 2014
Rule 171010 | |
---|---|
Status | Active |
Alert Message | Multiple Rejected MAIL: Access Denied in 30 seconds from the same source. |
Contents |
[edit] Description
ASL does not cause this event to occur. ASL simply reports when it occurs.
This means that exim has rejected a mail connection, and has done so 8 or more times within 30 seconds, from the same IP.
[edit] Log examples
2014-01-01 10:10:10 H=(hostname) [1.2.3.4]:2039 rejected MAIL <username@example.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
[edit] Troubleshooting
[edit] Solutions
ASL does not cause this event to occur. ASL simply reports when it occurs. Disabling this rule will not prevent exim from blocking these connections, disabling this rule will only silence this alert. Exim is causing these blocks, and only configuring Exim will change this behavior of Exim. ASL does not manage or configure Exim. Please contact your mail server vendor for assistance if you do not know how to configure Exim, or contact our sales department and we can put a professional services quote together to assist you.
If you wish to prevent ASL from shunning on these events, simply set Active Response for the rule to off. This will of course not stop Exim from blocking these connections.
[edit] False Positives
None. Please do not report this as a false positive unless ASL is incorrectly reporting an event that is:
1) not exim
or
2) exim is not rejecting the connection
[edit] Additional Information
[edit] Similar Rules
None.
[edit] Knowledge Base Articles
None.
[edit] External Articles
None.