topic Re: Palo alto can detect SPAM in General Topics

Palo alto can detect SPAM

soporteseguridad — Wed, 19 Jun 2013 12:43:51 GMT

Hi i have a doubt about Palo Alto. Yesterday we realised that there was a massive spam sending from our email servers. This is the second incident of its kind in recent days. The question is whether the Paloalto can do some kind of test to detect this type of behavior, is able to examine headers or something like that?, There is some kind of filter on that? What is the best solution that i could take??

Thanks so much.

Re: Palo alto can detect SPAM

Gregoux — Wed, 19 Jun 2013 13:31:18 GMT

Paloalto don't help you for that

refer to https://live.paloaltonetworks.com/message/12044#12044

Re: Palo alto can detect SPAM

HITSSEC — Wed, 19 Jun 2013 14:19:12 GMT

Network monitoring of you SMTP gateway outbound queue is a start (not a PA solution). The other options PA based include:

1) Using the ACC monitoring SMTP connections from the inside SMTP gateways to show # of connections, destination countries, etc...
2) Using Session Browser (under Monitor tab) to monitor the number of active outbound SMTP connections from your SMTP gateway(s)

3) Once you know your baseline you can use resource protection (part of DOS protection ) to limit number of concurrent smtp connections you will allow outbound from your SMTP gateway. Logging will tell you when it is actived.

Hope this helps.

Phil

Re: Palo alto can detect SPAM

mikand — Wed, 19 Jun 2013 19:10:32 GMT

You could also create a custom IPS signature to get a alert when mails are being sent that contains a specific term or terms.

Other than that get a proper antispam solution is the way to block both inbound aswell as any outbound spam attempts.

Popular solutions seems to be Ironport and Halon among others...

Re: Palo alto can detect SPAM

soporteseguridad — Wed, 19 Jun 2013 19:11:50 GMT

Hi, Thanks for your answer.

How can I limit number of concurrent smtp in PA?

Thanks.

Re: Palo alto can detect SPAM

HITSSEC — Wed, 19 Jun 2013 21:44:29 GMT

Take a look at the following threads:

https://live.paloaltonetworks.com/docs/DOC-1746

https://live.paloaltonetworks.com/docs/DOC-4574

I configured it for inbound smtp traffic but you can easily change it for outbound traffic. The DOS rule you create would just apply to outbound SMTP traffic based on your situation. Hope this helps?

Phil

Re: Palo alto can detect SPAM

cchristiansen — Thu, 20 Jun 2013 03:44:26 GMT

Hello soporteseguridad,

I have had quite a few questions on this topic recently and have tried lots of things. Unfortunately none have been very helpful. The problem with most spam is that it is valid email (not malware), just lots of it, and unsolicited. Here are a few options that may or may not help.

1.) The answer given by HITSSEC was one that it thought would be a great idea, though I tried it, and had very weak results. The problem was, that even when metering SMTP traffic down to something like 2pps, I was still able to pass out 80+ emails out of 100 in a couple of seconds..Not very helpful. In addition, if your spamming from an SMTP(postfix) type server, the server will just keep trying to deliver the messages. It will eventually succeed after your DoS rule timeout happens. I tested this with a postfix server running on my Mac (and a handy spam script), behind my PA-200 with a DoS policy. It didn't matter how much I decreased the allowed pps, the policy did not prevent spamming - just slowed it down some.

2.) Dynamic block lists. This is an option available in 5.x and could be useful if you are trying to block email being sent to known relay servers, or from known IPs. If you were so inclined, I imagine you could pull a list with a script (curl or wget) from a site that tracks spammers and make that file available on a webserver that your firewall has access to. Then, add that path to your security rule as a dynamic block list. This will of course not be helpful if the spam is being sent from dynamic (changing) IPs.

See KB here:

3.) Dynamic address objects. Also in 5.x, you can have a dynamic address object in your security rule which can be updated via a script using the XML API on the firewall. This could be an option if you had a method (external to the firewall) to detect and identify spammer IPs. I have seen people use this feature to great success in conjunction with Splunk and the PaloAlto app for splunk (which contains a python script for updating dynamic address objects). See KB here for info on dynamic address objects: Dynamic Address Objects

Hope this helps,

-chadd.

Re: Palo alto can detect SPAM

HITSSEC — Thu, 20 Jun 2013 13:04:34 GMT

Hello soporteseguridad,

I realized that DOS protection will only limit the flow of outbound spam as the SMTP gateway will retry later. Other than a spam filtering solution or a lot of custom SMTP related signatures, your best bet may be a monitoring approach.

Phil

Re: Palo alto can detect SPAM

mikand — Thu, 20 Jun 2013 16:47:14 GMT

Another variant could be to whitelist destinations. That will of course doesnt help if the spam goes to a specific domain which already is whitelisted but still... a variant of this could be to also use geoip as dstip's (but again, wont help if the spam goes out to these you have already whitelisted).

Re: Palo alto can detect SPAM

MCmgt — Wed, 02 Apr 2014 13:59:54 GMT

Re: ineffectiveness of DoS

I think the point is not to prevent sending spam but to be alerted that you are sending spam. Once you know you have a compromised machine you can take care of the real problem. The spam is just a symptom of a bigger problem.