HIDS 3301

From Atomicorp Wiki
Revision as of 16:58, 10 March 2014 by Mshinn (Talk | contribs)

Jump to: navigation, search
Rule 3301
Status Active
Alert Message Attempt to use mail server as relay (client host rejected).

Contents

Description

This rule reports when your systems mail server has rejected an attempt to send email through the server to a destination other than the server itself. For example, if your server accepts mail for "example.com", and user tries to use the server to send email to "atomicorp.com", this is called "relaying". If your mail server is not setup to allow relaying, then your mail server will reject attempts to use it to send email to another domain.

ASL does not control or configure this behavior in your mail server, it merely reports when this occurs. Therefore, if your mail server is rejecting mail from one of your users you will need to configure your mail server to allow relaying from the user. Please contact your mail server vendor for assistance with configuring your mail server.

Disabling this rule will not allow your users to relay mail. It will simply "silence" the alert in ASL, however the mail will still be rejected by your mail server.

Troubleshooting

False Positives

None.

Tuning Guidance

If you wish to not block these connections, just disable Active Response in the ASL rule manager.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

This technique is one of the oldest and most widely used methods to send spam. Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server. Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems. You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server.

Example log messages

hostname postfix/smtpd[15871]: NOQUEUE: reject: RCPT from hostname[1.2.3.4]: 554 5.7.1 <hostname[1.2.3.4]>: Client host rejected: Access denied; from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<[1.2.3.4]>

host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[5.6.7.8]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo=

Personal tools