I added this new rule to snort/rules:
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any
(msg:"Possible mail relay usage"; content:"Relaying denied";
flags:A+; classtype:trojan-activity; sid:1000001; rev:1
I wonder what else need add to snort ? Mail server is deny mail relay anyway, but i want the snort will do this job instead.
When i am using snort in verbose mode:
snort -v
And I test the open relay mail and mail server is deny any relays.
I see smtp traffic going through, but not denied by snort.
Thank you in advance.