Difference between revisions of "HIDS 3301"
(Created page with "{{Infobox |header1= Rule 3301 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Attempt to use mail server as relay (client host rejected). }} = Description =...") |
m (→Notes) |
||
Line 43: | Line 43: | ||
This technique is one of the oldest and most widely used methods to send spam. Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server. Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems. You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server. | This technique is one of the oldest and most widely used methods to send spam. Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server. Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems. You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server. | ||
− | Example log | + | Example log messages: |
− | host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[5.6.7.8]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo= | + | ''hostname postfix/smtpd[15871]: NOQUEUE: reject: RCPT from hostname[1.2.3.4]: 554 5.7.1 <hostname[1.2.3.4]>: Client host rejected: Access denied; from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<[1.2.3.4]> |
+ | |||
+ | host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[5.6.7.8]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo='' |
Revision as of 17:02, 8 May 2013
Rule 3301 | |
---|---|
Status | Active |
Alert Message | Attempt to use mail server as relay (client host rejected). |
Contents |
Description
This rule reports when your systems mail server has rejected an attempt to send email through the server to a destination other than the server itself. For example, if your server accepts mail for "example.com", and user tries to use the server to send email to "atomicorp.com", this is called "relaying". If your mail server is not setup to allow relaying, then your mail server will reject attempts to use it to send email to another domain.
ASL does not control or configure this behavior in your mail server, it merely reports when this occurs. Therefore, if your mail server is rejecting mail from one of your users you will need to configure your mail server to allow relaying from the user. Please contact your mail server vendor for assistance with configuring your mail server.
Disabling this rule will not allow your users to relay mail. It will simply "silence" the alert in ASL, however the mail will still be rejected by your mail server.
Troubleshooting
False Positives
None.
Tuning Guidance
If you wish to not block these connections, just disable Active Response in the ASL rule manager.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
Notes
This technique is one of the oldest and most widely used methods to send spam. Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server. Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems. You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server.
Example log messages:
hostname postfix/smtpd[15871]: NOQUEUE: reject: RCPT from hostname[1.2.3.4]: 554 5.7.1 <hostname[1.2.3.4]>: Client host rejected: Access denied; from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<[1.2.3.4]>
host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[5.6.7.8]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo=