[Snort-sigs] sid 567 and new mail relay signatures

Jon Hart warchild at ...288...
Thu Sep 4 12:22:16 EDT 2003


Greetings,

This is in regards to an email I sent a long while back:

http://marc.theaimsgroup.com/?l=snort-sigs&m=101176018929591&w=2

I'm now reinvestigating the issue, as nearly all of the alerts I get for
sid 567 are from external mail servers telling ours that they can't
relay.  Although people are always trying to relay mail through our
servers, snort is not catching them because Postfix throws a slightly
different error message.

With that in mind, I did some poking at mail servers that are scattered
around our network:

MTA:
Version:
Relay error code/message:

Sendmail
8.9.3/8.8.7
551 we do not relay

Sendmail
8.11.0/8.11.0
550 5.7.1 test at ...1837... Relaying denied

Exim
3.36
550 relaying to <test at ...1838...> prohibited by administrator

Postfix
1.1.11
554 <test at ...1838...>: Recipient address rejected: Relay access denied

Microsoft ESTMP
5.0.2195.6713
550 5.7.1 Unable to relay for test at ...1838...

While this isn't a comprehensive list of mail servers or possible mail
relay errors, this are the major ones and to the best of my knowledge,
none of these have modified configs that might throw very nonstandard
relay error messages.

The errors that put the intended recipient in the error message are
slightly more difficult to write rules for because a really long email
address could push the actual interesting bits of the message very far
off into the packet, therefore making 'distance' based rules impossible.

Much like sids 982-984 and 1945 (which use the same msg, but different
contents), I think it'd be great to have a few more rules to detect SMTP
relaying.  I'm currently testing two variants of sid 567:  one which
matches "551 we do not relay" for older versions of sendmail, and
another which matches "550 relaying to".  

I'll let the list know how things go.

Thoughts on this?

-jon




More information about the Snort-sigs mailing list