postfix-helo-rejected Configuration

« postfix-helo-rejected »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:postfixspoofable:0MITRE:T1595MITRE:T1592confidence:2

Detect HELO rejections

Installation

cscli scenarios install crowdsecurity/postfix-helo-rejected

Description

Postfix helo rejected is a log message generated when a client sends a HELO or EHLO command that is rejected by the server. This can happen for a variety of reasons, such as the client using an invalid hostname or the server being configured to reject certain types of HELO commands.

You can see the configuration for the restrictions placed on HELO commands within https://www.postfix.org/postconf.5.html#smtpd_helo_restrictions

YAML Configuration

1# postfix helo rejected because it did not match postfix restrictions
2type: leaky
3name: crowdsecurity/postfix-helo-rejected
4description: "Detect HELO rejections"
5filter: "evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject' && evt.Meta.reason startsWith 'Helo command rejected'"
6references:
7  - https://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
8groupby: evt.Meta.source_ip
9capacity: 1
10leakspeed: 600s
11blackhole: 1m
12reprocess: false
13labels:
14  service: postfix
15  remediation: true
16  confidence: 2
17  spoofable: 0
18  classification:
19  - attack.T1595
20  - attack.T1592
21  behavior: "smtp:spam"
22  label: "Postfix Helo Rejected"
23

Hub configuration

« postfix-helo-rejected »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:postfixspoofable:0MITRE:T1595MITRE:T1592confidence:2

« postfix-helo-rejected »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:postfixspoofable:0MITRE:T1595MITRE:T1592confidence:2