Skip to main content
Version: Next

Rejected Emails Monitor (10028 / 20028)

Description

This Module detects external hosts sending emails rejected by internal mail servers. It monitors ingress traffic over TCP protocol and destination ports 25 or 465. The Module reports all email senders and provides consolidated information (Source IP and the number of rejected emails) over a time interval.

Parameters

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 300 sec, default = 30 sec

Input

Cisco ASA NSEL flow denied template and Palo Alto Networks Ipv4 Traffic Templates IPv4 Standard (Template ID 256) and IPv4 Enterprise (Template ID 257)

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20028"
exp_ipNetFlow exporter IPv4 address<IPv4_address>
src_ipSource host IPv4 address<IPv4_address>
dest_ipDestination host IPv4 address<IPv4_address>
denied_countNumber of rejected emails<number>
t_intObservation time interval, msec<number>