postfix-relay-denied Scenario

« postfix-relay-denied »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:postfixspoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect multiple open relay attempts

Installation

cscli scenarios install crowdsecurity/postfix-relay-denied

Description

Postfix relay denied access is a log message generated when a client tries to relay an email through the server without being authorized to do so. This can happen for a variety of reasons, such as the client not being authenticated or the server not being configured to allow relaying from the client's IP address.

Many bots and spammers try to exploit open relays to send spam emails, so it's important to monitor for these types of events and take action to prevent unauthorized relaying.

YAML Configuration

1# postfix relay access denied
2type: leaky
3name: crowdsecurity/postfix-relay-denied
4description: "Detect multiple open relay attempts"
5filter: "evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject' && evt.Meta.reason == 'Relay access denied'"
6references:
7  - https://en.wikipedia.org/wiki/Open_mail_relay
8groupby: evt.Meta.source_ip
9capacity: 1
10leakspeed: 600s
11blackhole: 1m
12reprocess: false
13labels:
14  service: postfix
15  remediation: true
16  confidence: 3
17  spoofable: 0
18  classification:
19  - attack.T1595
20  - attack.T1190
21  behavior: "smtp:spam"
22  label: "Postfix Relay Denied"
23

Hub configuration

« postfix-relay-denied »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:postfixspoofable:0MITRE:T1595MITRE:T1190confidence:3

« postfix-relay-denied »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:postfixspoofable:0MITRE:T1595MITRE:T1190confidence:3