Rejected Emails Monitor (10028 / 20028)

Description

This Module detects external hosts sending emails rejected by internal mail servers. It monitors ingress traffic over TCP protocol and destination ports 25 or 465. The Module reports all email senders and provides consolidated information (Source IP and the number of rejected emails) over a time interval.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 300 sec, default = 30 sec

Input

Cisco ASA NSEL flow denied template and Palo Alto Networks Ipv4 Traffic Templates IPv4 Standard (Template ID 256) and IPv4 Enterprise (Template ID 257)

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20028"
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
src_ip
Source host IPv4 address
<IPv4_address>
dest_ip
Destination host IPv4 address
<IPv4_address>
denied_count
Number of rejected emails
<number>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago