Hello,
There won't be any data (TCP::payload) in the CLIENT_ACCEPTED event. But that is the event where you would potentially want to start collecting the payload.
Also, the 550 response is going to be sent from the server back towards the client, so you would want to look at the server data (not client data).
I don't know SMTP well enough to suggest the best way to write such a rule, but try searching the forum for SMTP. The codeshare also has an SMTP proxy rule that might give you some reference material.
RFC2821 documents the steps in establishing an SMTP connection (
Click here). Section 3.3 seems relevant.
Anyone else have ideas?
Aaron