Hi all,
I get a lot of brute force SMTP AUTH relay attacks on my inbound SMTP relay server. The server itself (MDaemon SecurityGateway) programatticaly blocks these servers if they fail AUTH a certain number of times, but since external clients sending to this server should never be trying to authenticate anyway, I figure why not just block these bozos at the edge with my XG firewall?
I looked at the transaction log in SecurityGateway to see the attackers issue the SMTP command "AUTH LOGIN" to begin the login process. Taking this, I created the following Custom Rule: dstport:25;content:"AUTH LOGIN";flow:to_server;
Following the documentation, my thinking is that since this traffic is inbound to my SMTP server, the "dstport" should be 25, the "content" I'm looking for is the "AUTH LOGIN" command, and I'm not sure if its needed, but I added the "flow:to_server" since the traffic I'm looking at should be flowing to the server from the client and not bi-directional or "to_client." This may be unnecessary? And finally I set the rule to drop the session.
So far, looking at the IPS log, I am seeing the expected suspects being caught by the rule and dropped, and looking at the log on my SMTP server I am no longer seeing the SMTP AUTH brute force attacks, so it appears the rule is doing what I intended for it to. I am also still receiving and sending good mail as expected.
Since this is my first Custom IPS Signature though, I thought I'd ask here if I did it right or if I made any rookie or obvious mistakes that could bite me later? Thanks in advance.
This thread was automatically locked due to age.
