Snort SMTP rule "Access Denied for Mail Relay"

volga629 · 12-29-2009, 04:57 PM

I added this new rule to snort/rules:

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any
(msg:"Possible mail relay usage"; content:"Relaying denied";
flags:A+; classtype:trojan-activity; sid:1000001; rev:1

I wonder what else need add to snort ? Mail server is deny mail relay anyway, but i want the snort will do this job instead.
When i am using snort in verbose mode:
snort -v
And I test the open relay mail and mail server is deny any relays.
I see smtp traffic going through, but not denied by snort.

Thank you in advance.

unSpawn · 01-17-2010, 06:06 AM

Quote:

Originally Posted by volga629

Code:

tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any

Shouldn't it be "tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25"? Snort, unless run in in-line mode, doesn't drop traffic itself. You'll need an add-on. But why not just -d !LAN -j DENY TCP/25 instead?

volga629 · 01-19-2010, 04:44 AM

Thank you on you response. Yes you right snort run in inline mode, the whole idea behind that to make alert for attempts of spammers mail relays through the server. By the way on the server him self mail relays is denied. And i advised about it and problem is the snort him self cannot recognize when is mail relay or not. That function only for mail server him self.
So just need to wait maybe in future will be develop some solution for this.

unSpawn · 01-19-2010, 01:09 PM

Quote:

Originally Posted by volga629

make alert for attempts of spammers mail relays through the server. (..) problem is the snort him self cannot recognize when is mail relay or not. That function only for mail server him self.

Spam is not as much a packet-level "threat" but a problem tackled best at the application layer, so yeah, for fighting spam MTA configuration and using RBL's is part of the solution but Snort is not.