SMTP attacks - block result & stats query

Dissidente · 09-08-2011, 07:08 AM

Hi.

I've noticed some SMTP blocked attacks since yesterday, more exactly #3461 SMTP Content-Type overflow attempt and #11837 SMTP MS Windows Mail UNC navigation remote command execution, which reading the attack info I can relate to crafted e-mails with specific links to exploit these vulnerabilities.

Now, my good friend, the intrusion prevention module has swiftly blocked these e-mails (which I suspect might be just a few), but I wanted to understand exactly what 'block' means in this context. Will it cut the connection? Will it reply with an error string (ie. 450 - Go F-yourself) I suspect it will cut the connection, hence the repeated knocks while our upstream MTA tries to deliver the enqueue e-mail(s). Can you confirm what is the action?

Also, is there any way to query intrusion prevention logs to collect some stats (like number of events per internal IP, category percentage, destinations, etc)?

Thanks guys

vihag · 09-29-2011, 09:28 PM

I get a lot of these too. I suspect it blocks the connection so that the sending server tries to send and resend and eventually returns an ndr to the user. I was sort of worried these might be legitimate emails, but I haven't had any complaints so far.

dmorris · 09-29-2011, 09:45 PM

It just resets the connection.

More likely to be a false positive than a true positive.

09-08-2011, 07:08 AM	#1 (permalink)
Dissidente Master Untangler Join Date: Nov 2009 Location: Lisbon, Portugal Posts: 131	SMTP attacks - block result & stats query Hi. I've noticed some SMTP blocked attacks since yesterday, more exactly #3461 SMTP Content-Type overflow attempt and #11837 SMTP MS Windows Mail UNC navigation remote command execution, which reading the attack info I can relate to crafted e-mails with specific links to exploit these vulnerabilities. Now, my good friend, the intrusion prevention module has swiftly blocked these e-mails (which I suspect might be just a few), but I wanted to understand exactly what 'block' means in this context. Will it cut the connection? Will it reply with an error string (ie. 450 - Go F-yourself) I suspect it will cut the connection, hence the repeated knocks while our upstream MTA tries to deliver the enqueue e-mail(s). Can you confirm what is the action? Also, is there any way to query intrusion prevention logs to collect some stats (like number of events per internal IP, category percentage, destinations, etc)? Thanks guys

09-29-2011, 09:45 PM	#3 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,612	It just resets the connection. More likely to be a false positive than a true positive. __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

Protect

Filter

Perform

Connect

Manage

Add-Ons

09-29-2011, 09:28 PM	#2 (permalink)
vihag Untanglit Join Date: Sep 2011 Posts: 15	I get a lot of these too. I suspect it blocks the connection so that the sending server tries to send and resend and eventually returns an ndr to the user. I was sort of worried these might be legitimate emails, but I haven't had any complaints so far.