RE: SMTP Relaying bug

["L. Christopher Luther" <CLuther () Xybernaut com>]

If you're talking about the following rule:  

alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied";
flags:A+; content: "550 5.7.1"; depth:70;
reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249;
classtype:misc-activity; sid:567; rev:8;)

then what you have is a rule that traps when *your* mail server responds
from its own TCP port 25 to any outside network on any port, and the
response contains the text "550 5.7.1".  This implies that someone outside
your network attempted to use your SMTP server as a relay point and your
server denied the relay attempt, not that your server is attempting to send
mail through a closed relay.  That rule would be something like:  

alert tcp $EXTERNAL_NET 25 -> $SMTP any (msg:"POLICY SMTP relaying denied";
flags:A+; content: "550 5.7.1"; depth:70;
reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249;
classtype:misc-activity; sid:567; rev:8;)  

Hope this helps.  

Christopher

-----Original Message-----
Date: Tue, 14 Jan 2003 12:22:36 -0500 (EST)
From: Pauling <pauling () Starwolf biz>
To: snort-users () lists sourceforge net
Subject: [Snort-users] SMTP Relaying bug

Has anybody noticed this, that the Alert for an SMTP relay attack monitors 
the 550 RELAING DENIED message, and as such, gives a misleading 
notification implying that your server is attempting to send mail through 
a closed relay.

I'm not very good at writing snort rules, but is there any way to 
efectively reverse this, so that the alert reads that a mail message from 
$EXTERNAL_NET was not relayed through $SMTP_SERVERS

-- 
Frank Barton
Starwolf.biz Systems Administrator