Difference between revisions of "HIDS 3301"

From Atomicorp Wiki
Jump to: navigation, search
m (Notes)
m (Description)
 
(4 intermediate revisions by one user not shown)
Line 9: Line 9:
 
= Description =
 
= Description =
  
This rule reports when your systems mail server has rejected an attempt to send email through the server to a destination other than the server itself. For example, if your server accepts mail for "example.com", and user tries to use the server to send email to "atomicorp.com", this is called "relaying"If your mail server is not setup to allow relaying, then your mail server will reject attempts to use it to send email to another domain.
+
'''ASL does not cause this event and does not cause any blocks associated with this event.  ASL simply reports when your mail server blocks a relaying attemptASL has no control over your mail server.'''
  
ASL does not control or configure this behavior in your mail server, it merely reports when this occursTherefore, if your mail server is rejecting mail from one of your users you will need to configure your mail server to allow relaying from the userPlease contact your mail server vendor for assistance with configuring your mail server.
+
This rule reports when your systems mail server has rejected a replaying attemptThis is when an attempt to send email through the server to a destination other than the server itself is rejected. For example, if your server accepts mail for "example.com", and a user tries to use the server to send email to "atomicorp.com", this is called "relaying"If your mail server is not setup to allow relaying, then your mail server will reject attempts to use it to send email to another domain.
  
Disabling this rule will not allow your users to relay mail.  It will simply "silence" the alert in ASL, however the mail will still be rejected by your mail server.
+
ASL does not control or configure this behavior in your mail server, it merely reports when this occurs.  Therefore, if your mail server is rejecting mail from one of your users you will need to configure your mail server to allow relaying from the user.  Please contact your mail server vendor for assistance with configuring your mail server to do this.
 +
 
 +
'''Disabling this rule will not allow your users to relay mail.''' It will simply "silence" the alert in ASL, however the mail will still be rejected by your mail server.
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 23: Line 25:
 
== Tuning Guidance ==
 
== Tuning Guidance ==
  
If you wish to not block these connections, just disable Active Response in the [[ASL]] rule manager.
+
If you wish to not block these connections, just disable Active Response in the [[ASL]] rule manager for this rule.
  
 
= Additional Information =
 
= Additional Information =
Line 43: Line 45:
 
This technique is one of the oldest and most widely used methods to send spam.  Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server.  Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems.  You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server.
 
This technique is one of the oldest and most widely used methods to send spam.  Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server.  Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems.  You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server.
  
Example log messages:
+
===Example log messages===
  
''hostname postfix/smtpd[15871]: NOQUEUE: reject: RCPT from hostname[1.2.3.4]: 554 5.7.1 <hostname[1.2.3.4]>: Client host rejected: Access denied; from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<[1.2.3.4]>
+
''hostname postfix/smtpd[15871]: NOQUEUE: reject: RCPT from hostname[1.2.3.4]: 554 5.7.1 <hostname[1.2.3.4]>: Client host rejected: Access denied; from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<[1.2.3.4]>''
  
host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[5.6.7.8]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo=''
+
''host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[5.6.7.8]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo=''

Latest revision as of 16:47, 21 August 2014

Rule 3301
Status Active
Alert Message Attempt to use mail server as relay (client host rejected).

Contents

[edit] Description

ASL does not cause this event and does not cause any blocks associated with this event. ASL simply reports when your mail server blocks a relaying attempt. ASL has no control over your mail server.

This rule reports when your systems mail server has rejected a replaying attempt. This is when an attempt to send email through the server to a destination other than the server itself is rejected. For example, if your server accepts mail for "example.com", and a user tries to use the server to send email to "atomicorp.com", this is called "relaying". If your mail server is not setup to allow relaying, then your mail server will reject attempts to use it to send email to another domain.

ASL does not control or configure this behavior in your mail server, it merely reports when this occurs. Therefore, if your mail server is rejecting mail from one of your users you will need to configure your mail server to allow relaying from the user. Please contact your mail server vendor for assistance with configuring your mail server to do this.

Disabling this rule will not allow your users to relay mail. It will simply "silence" the alert in ASL, however the mail will still be rejected by your mail server.

[edit] Troubleshooting

[edit] False Positives

None.

[edit] Tuning Guidance

If you wish to not block these connections, just disable Active Response in the ASL rule manager for this rule.

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

This technique is one of the oldest and most widely used methods to send spam. Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server. Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems. You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server.

[edit] Example log messages

hostname postfix/smtpd[15871]: NOQUEUE: reject: RCPT from hostname[1.2.3.4]: 554 5.7.1 <hostname[1.2.3.4]>: Client host rejected: Access denied; from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<[1.2.3.4]>

host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[5.6.7.8]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo=

Personal tools