Rejected Emails Monitor (10028 / 20028)
Description
This Module detects external hosts sending emails rejected by internal mail servers. It monitors ingress traffic over TCP protocol and destination ports 25 or 465. The Module reports all email senders and provides consolidated information (Source IP and the number of rejected emails) over a time interval.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 300 sec, default = 30 sec |
Input
Cisco ASA NSEL flow denied template and Palo Alto Networks Ipv4 Traffic Templates IPv4 Standard (Template ID 256) and IPv4 Enterprise (Template ID 257)
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20028" |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| src_ip | Source host IPv4 address | <IPv4_address> |
| dest_ip | Destination host IPv4 address | <IPv4_address> |
| denied_count | Number of rejected emails | <number> |
| t_int | Observation time interval, msec | <number> |