Rule: -- Sid: 567 -- Summary: This event is generated when a failed attempt is made to use a Simple Mail Transfer Protocol (SMTP) server to relay mail to a third party. -- Impact: Rejected of unauthorized use. This event indicates that an SMTP server is properly configured to reject mail relay attempts. -- Detailed Information: An attacker may attempt to use an improperly configured SMTP server to relay mail, reflecting the origin of the mail to be the relay SMTP server instead of the actual sender. A poorly configured SMTP server may be used to relay spam and other undesirable mail. If an SMTP server rejects relay attempts, it will return an error message indicating the failure. -- Affected Systems: SMTP servers -- Attack Scenarios: An attacker may attempt to relay mail through an improperly configured SMTP server. -- Ease of Attack: Simple -- False Positives: None Known -- False Negatives: An SMTP server may reject mail using other errors. -- Corrective Action: Configure an SMTP server to reject relayed mail. -- Contributors: Original rule written by Max Vision <vision@whitehats.com> Modified by Brian Caswell <bmc@sourcefire.com> Snort documentation contributed by Chaos <c@aufbix.org> Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References: Arachnids http://www.whitehats.com/info/IDS249 Miscellaneous http://mail-abuse.org/tsi/ar-fix.html --