Inbound Mail Spammers Monitor (10026 / 20026)

Description

This Module detects external hosts sending excessive email traffic to your organization. It monitors ingress traffic over TCP protocol and destination ports 25 or 465 sent to designated mail servers. The Module reports top email senders and provides consolidated information over a time interval.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 3600 sec,
default = 600 sec
N - number of reported inbound spammers
Top N (number of reported spammers)
min = 0, max = 100000,
default = 50 (0 indicates all hosts are reported)
Known local mail servers (ipv4_dst_addr) list
List of IP addresses of known mail servers to be monitored

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)
IE id
IE size, B
Description
sourceIPv4Address
8
4
The IPv4 source address in the IP packet header
destinationIPv4Address
12
4
The IPv4 destination address in the IP packet header
protocolIdentifier
4
1
The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.
destinationTransportPort
11
2
The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount
1
4 or 8
The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.
packetDeltaCount
2
4 or 8
The number of incoming packets since the previous report (if any) for this Flow at the Observation Point.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20026"
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
src_ip
Source host IPv4 address
<IPv4_address>
bytes_out
Bytes total (Traffic)
<number>
packets_out
Packets
<number>
num_conn
Number of flows initiated by the source host
<number>
min_bytes
Minimum bytes count of flows
<number>
max_bytes
Maximum bytes count of flows
<number>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago