06-19-2013 05:43 AM
Hi i have a doubt about Palo Alto. Yesterday we realised that there was a massive spam sending from our email servers. This is the second incident of its kind in recent days. The question is whether the Paloalto can do some kind of test to detect this type of behavior, is able to examine headers or something like that?, There is some kind of filter on that? What is the best solution that i could take??
Thanks so much.
06-19-2013 06:31 AM
Paloalto don't help you for that
refer to https://live.paloaltonetworks.com/message/12044#12044
06-19-2013 07:19 AM
Network monitoring of you SMTP gateway outbound queue is a start (not a PA solution). The other options PA based include:
1) Using the ACC monitoring SMTP connections from the inside SMTP gateways to show # of connections, destination countries, etc...
2) Using Session Browser (under Monitor tab) to monitor the number of active outbound SMTP connections from your SMTP gateway(s)
3) Once you know your baseline you can use resource protection (part of DOS protection ) to limit number of concurrent smtp connections you will allow outbound from your SMTP gateway. Logging will tell you when it is actived.
Hope this helps.
Phil
06-19-2013 12:10 PM
You could also create a custom IPS signature to get a alert when mails are being sent that contains a specific term or terms.
Other than that get a proper antispam solution is the way to block both inbound aswell as any outbound spam attempts.
Popular solutions seems to be Ironport and Halon among others...
06-19-2013 12:11 PM
Hi, Thanks for your answer.
How can I limit number of concurrent smtp in PA?
Thanks.
06-19-2013 02:44 PM
Take a look at the following threads:
https://live.paloaltonetworks.com/docs/DOC-1746
https://live.paloaltonetworks.com/docs/DOC-4574
I configured it for inbound smtp traffic but you can easily change it for outbound traffic. The DOS rule you create would just apply to outbound SMTP traffic based on your situation. Hope this helps?
Phil
06-19-2013 08:44 PM
Hello soporteseguridad,
I have had quite a few questions on this topic recently and have tried lots of things. Unfortunately none have been very helpful. The problem with most spam is that it is valid email (not malware), just lots of it, and unsolicited. Here are a few options that may or may not help.
1.) The answer given by HITSSEC was one that it thought would be a great idea, though I tried it, and had very weak results. The problem was, that even when metering SMTP traffic down to something like 2pps, I was still able to pass out 80+ emails out of 100 in a couple of seconds..Not very helpful. In addition, if your spamming from an SMTP(postfix) type server, the server will just keep trying to deliver the messages. It will eventually succeed after your DoS rule timeout happens. I tested this with a postfix server running on my Mac (and a handy spam script), behind my PA-200 with a DoS policy. It didn't matter how much I decreased the allowed pps, the policy did not prevent spamming - just slowed it down some.
2.) Dynamic block lists. This is an option available in 5.x and could be useful if you are trying to block email being sent to known relay servers, or from known IPs. If you were so inclined, I imagine you could pull a list with a script (curl or wget) from a site that tracks spammers and make that file available on a webserver that your firewall has access to. Then, add that path to your security rule as a dynamic block list. This will of course not be helpful if the spam is being sent from dynamic (changing) IPs.
3.) Dynamic address objects. Also in 5.x, you can have a dynamic address object in your security rule which can be updated via a script using the XML API on the firewall. This could be an option if you had a method (external to the firewall) to detect and identify spammer IPs. I have seen people use this feature to great success in conjunction with Splunk and the PaloAlto app for splunk (which contains a python script for updating dynamic address objects). See KB here for info on dynamic address objects: Dynamic Address Objects
Hope this helps,
-chadd.
06-20-2013 06:04 AM
Hello soporteseguridad,
I realized that DOS protection will only limit the flow of outbound spam as the SMTP gateway will retry later. Other than a spam filtering solution or a lot of custom SMTP related signatures, your best bet may be a monitoring approach.
Phil
06-20-2013 09:47 AM
Another variant could be to whitelist destinations. That will of course doesnt help if the spam goes to a specific domain which already is whitelisted but still... a variant of this could be to also use geoip as dstip's (but again, wont help if the spam goes out to these you have already whitelisted).
04-02-2014 06:59 AM
Re: ineffectiveness of DoS
I think the point is not to prevent sending spam but to be alerted that you are sending spam. Once you know you have a compromised machine you can take care of the real problem. The spam is just a symptom of a bigger problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
