Skip to main content
Version: 2.9.1

Unauthorized Mail Servers Monitor (10027 / 20027)


This Module detects internal hosts running unauthorized mail servers. It monitors ingress traffic over TCP protocol and destination ports 25 or 465 sent to hosts which are not designated mail servers. The Module reports all detected unauthorized email servers.


Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 3600 sec, default = 600 sec
Known local mail servers (ipv4_dst_addr) listList of IP addresses of known mail servers to be excluded from reporting


NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)IE idIE size, BDescription
destinationIPv4Address124The IPv4 destination address in the IP packet header
protocolIdentifier41The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.
destinationTransportPort112The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount14 or 8The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20027"
exp_ipNetFlow exporter IPv4 address<IPv4_address>
dest_ipDestination host IPv4 address<IPv4_address>
bytes_outBytes total (Traffic)<number>
num_connNumber of flows initiated by the source host<number>
min_bytesMinimal bytes number in a flow<number>
max_bytesMaximum bytes number in a flow<number>
t_intObservation time interval, msec<number>