Hello,
I've got a CCR1009 acting as a NATing router between the Internet and some local LANs.
How can check if a LAN user is sending a large number of outbound emails (ie is spamming the world) ?
This CCR has no SMTP role: it just forwards packets on ports 587 or 465 or anything else but port 25, to some public SMTP servers.
Ideally, I would add a couple of FW rules that would count per Source IP, traffic aiming TCP ports 587 or 465 but :
I'm not interested in volume stats (sending email with large attachments is OK)
I would like to catch someone sending a single email to a large list of recipients.
Thoughts ?
Best regards
-
-
olivier2831
Member
- Posts: 312
- Joined:
Re: How can check if a LAN user is sending a large number of emails ?
You wont do this unless you do some sort of IDS/IPS interception (or forward the connections through a mailrelay of your own). You would either way need some TLS-interception aswell to inspect the content (most emails these days uses starttls between servers).
Sure you could probably get a counter of number of packets for a specific port but that wont tell you if its many small or one large email.
Same with if you would go with connections (and perhaps adjust the conntrack table so the session timeout will be very small for this particular rule like 10 seconds instead of hours) but here you will only see amount of outbound sessions and not if its a single session towards many recipients either in the BCC field or as multiple single mails through same connection (the sender doesnt necessary need to disconnect to send the next email).
Another option is to simply graph traffic on these ports to visually detect if its a steady flow of lets say outbound TCP25 (both in connections and in data) or if its just a peak for a few seconds once a day.
So you will get a vague idea if a particular client is sending "more" or "fewer" emails (depending on how often they send the emails) but not if its 1000 emails or 1 email unless you do some kind of interception (IDS/IPS with/without TLS-interception or mailrelay server).
Sure you could probably get a counter of number of packets for a specific port but that wont tell you if its many small or one large email.
Same with if you would go with connections (and perhaps adjust the conntrack table so the session timeout will be very small for this particular rule like 10 seconds instead of hours) but here you will only see amount of outbound sessions and not if its a single session towards many recipients either in the BCC field or as multiple single mails through same connection (the sender doesnt necessary need to disconnect to send the next email).
Another option is to simply graph traffic on these ports to visually detect if its a steady flow of lets say outbound TCP25 (both in connections and in data) or if its just a peak for a few seconds once a day.
So you will get a vague idea if a particular client is sending "more" or "fewer" emails (depending on how often they send the emails) but not if its 1000 emails or 1 email unless you do some kind of interception (IDS/IPS with/without TLS-interception or mailrelay server).
-
-
olivier2831
Member
- Posts: 312
- Joined:
Re: How can check if a LAN user is sending a large number of emails ?
Thank you very much for replying.
So, counting outbound emails doesn't look like an easy task !
I'll try to think again about it.
So, counting outbound emails doesn't look like an easy task !
I'll try to think again about it.