I "kind of" solved it. One rule finds out that user X is sending spam and via an active response a "sender_bcc emailaddress" is connected to user X via tables in postfix. The second rule will catch sender_bcc which now show up the next time user X sends spam and the same line will also contains the originating ipaddres
So the ipaddress is caught next time, this is good enough for me at the moment. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
