[Snort-users] SMTP Relaying bug

Pauling pauling at ...7196...
Tue Jan 14 09:22:02 EST 2003


Has anybody noticed this, that the Alert for an SMTP relay attack monitors 
the 550 RELAING DENIED message, and as such, gives a misleading 
notification implying that your server is attempting to send mail through 
a closed relay.

I'm not very good at writing snort rules, but is there any way to 
efectively reverse this, so that the alert reads that a mail message from 
$EXTERNAL_NET was not relayed through $SMTP_SERVERS

-- 
Frank Barton
Starwolf.biz Systems Administrator





More information about the Snort-users mailing list