1# postfix spam
2type: leaky
3name: crowdsecurity/postfix-spam
4description: "Detect spammers"
5filter: "evt.Meta.log_type_enh == 'spam-attempt' || evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject'"
6leakspeed: "10s"
7references:
8  - https://en.wikipedia.org/wiki/Spamming
9capacity: 5
10groupby: evt.Meta.source_ip
11blackhole: 1m
12reprocess: false
13labels:
14  service: postfix
15  remediation: true
16  confidence: 3
17  spoofable: 0
18  behavior: "smtp:spam"
19  label: "Postfix Spam"
20---
21# postfix spam
22type: trigger
23name: crowdsecurity/postscreen-rbl
24description: "Detect spammers"
25filter: "evt.Meta.service == 'postscreen' && evt.Meta.pregreet == 'PREGREET'"
26references:
27  - https://en.wikipedia.org/wiki/Spamming
28groupby: evt.Meta.source_ip
29blackhole: 1m
30reprocess: false
31labels:
32  service: postscreen
33  remediation: true
34  confidence: 3
35  spoofable: 0
36  behavior: "smtp:spam"
37  label: "Postfix Spam"
38