SMTPANOMALY - SMTP Anomaly

Method description

Detection method is based on the assumption that in the corporate environment, emails should be sent only in a defined way. The method detects sending or attempts to send emails through other than explicitly defined mail servers.

Additionally, the SPAMCounter parameter can activate the detection of an increased number of sent emails from one station. The increased number is specified by the Multiplicator parameter, which defines how many times the average number of emails is sent to other stations. The average is computed only from stations that sent more than MinimalMailLimit messages in one hour. The method focused on the TCP/25 (SMTP), TCP/465 (Secured-SMTP), and TCP/587 (Message Submission service) traffic. Based on the number of flows and responses from the email servers, the method estimates the number of emails and whether the emails were actually sent. This information is then available in the detail of the generated event. Event targets represent all mail servers via which attempts to send emails were made.

The ServersFilter option identifies legitimate SMTP servers via which you can send mail. The StrictMode option, with its value set to “strict”, means that IP addresses assigned to the method by the filter have to be the sources of the event. The ExcludeMailServers option, with its value set to “exclude”, means that IP addresses from the ServersFilter list are excluded from detection. The IgnoreSecuredSMTP option allows you to ignore the secured SMTP traffic (port TCP 465). If the IgnoreScans option is set to “ignore”, transmissions that are too small (cannot be email traffic) are ignored. The IgnoreTCP587 option allows you to ignore the Message Submission service (port TCP 587).

This method consists of the following sub-methods:

• UndefinedServer: Reports clients in the monitored network that communicate with an unauthorized SMTP server. The detection is based on a user-defined list of allowed SMTP servers.

• SpammingClient: Reports devices in the monitored network that may be a potential source of SPAM due to a high number of email messages being sent.

Method configuration

It is recommended to apply this method for the IP addresses of the organization. The right place for traffic monitoring is the central switch and the Internet connection line.

Method parameters

• ServersFilter: Name of the filter that defines the IP addresses of the email servers that are allowed to be used in the monitored network.

• StrictMode: Omission of the email traffic coming from outside of the network defined by the assigned filter.

• ExcludeMailServers: Omission of the outgoing traffic from IP addresses defined by the ServersFilter parameter during the detection.

• IgnoreSecuredSMTP: Omission of the traffic of the Secured SMTP service (TCP/993) during the detection.

• IgnoreTCP587: Omission of the traffic of the Message Submission service (TCP/587) during the detection.

• IgnoreScans: Omission of the traffic recognized as a port scanning during the detection.

• SPAMCounter: Activation of the detection of an increased number of sent emails.

• MinimalMailLimit: Threshold of a minimum number of emails sent by a single device.

• Multiplicator: Coefficient used for computing the dynamic threshold for email sent by single devices. The threshold is computed as a multiplication of the coefficient and the network average.

• IgnoreSYNflows: Omission of the flows with only the TCP SYN flag. It is recommended to apply this choice if (and only if) there is flow data with correctly assigned TCP flags.

Assigned filter

The filter is used for the restriction of the source IP addresses (according to the StrictMode parameter, in the profiler part of the detection).

Interpretation of results

This method not only detects attempts of spamming but also may help to identify devices infected by spyware. The method may also help to detect employees that use other than corporate mail servers, which may be intentional or may be because of a wrong configuration.