Suspicious Outbound SMTP Connections

Purpose: Ensure that you know about devices initiating direct email connections to the internet.
Check the Report: Verify if there are workstations or unauthorized servers sending traffic on port 25.
Approve or Update: Confirm that all the computers listed are legitimate Mail Transfer Agents (MTAs) or Secure Email Gateways.
Why Important: Validating and baselining the environment for effective SMTP monitoring of the SOC.

Quick Guide:

Review the list of computers initiating outbound traffic on TCP port 25 (SMTP).
Verify that there are only authorized mail servers on this list.
Provide your SOC team with the entire list of authorized mail servers/relays in your organization in CSV format.

Detailed Guide:

Overview

Continuous monitoring of all outbound SMTP (port 25) activity originating from computers and servers connected to your organization's network.

"Suspicious Outbound SMTP Connections" is designed to show you the email traffic attempting to leave your network directly. It is important to make sure that the information listed in the report is indeed authorized mail servers. Please follow the guide to get a bigger picture about "Suspicious SMTP Activity" and then generate the report and provide your SOC team with the entire list of authorized mail servers (hostnames) and the corresponding process from which SMTP traffic originates within your organization.

Risks

Data Exfiltration: Malware often uses SMTP to exfiltrate stolen sensitive data directly to an attacker-controlled email address.
Spambots: Infected computers are frequently used as part of a botnet to send spam emails, which can lead to your organization’s IP addresses being blacklisted (RBLs).
Command and Control (C2): Some malware strains use SMTP as a communication channel to receive commands from attackers.
Bypass of Security Controls: Direct outbound SMTP connections bypass your Secure Email Gateway (SEG), meaning this traffic is not scanned for viruses, DLP (Data Loss Prevention), or other security policies.
Shadow IT: Unauthorized applications or "Shadow IT" servers may be configured to send emails directly, creating unmonitored communication channels.

Monitoring Best Practices

Centralized Email Flow: Ensure all email traffic is routed through a central Secure Email Gateway or authorized Exchange servers.
Firewall Policy: Implement a "Deny All" policy for outbound traffic on port 25 at the firewall level, creating exceptions only for your authorized mail servers.
Asset Management: Maintain an up-to-date inventory of all servers authorized to send email.
Application Configuration: Configure internal applications (printers, scanners, alerts) to relay mail through an internal SMTP server rather than connecting directly to the internet.

Action
Suspicious Outbound SMTP Report Generate a report of all the suspicious SMTP activity on your network.

ESM: /All Reports/Mobula/Windows/Network Connection/Suspicious Outbound SMTP Connections V2

In the navigator, go to Reports, and navigate to the provided path:

Choose the pdf format for example, and adjust the custom parameters accordingly, specify the time period and the relevant customer for which to generate a report:

The report will include four columns: Device Host Name (source), Parent and Child Process Names (application identification), and a Count of occurrences to quantify SMTP traffic volume.

Example Mail Transfer Agents (MTAs) for Exclusion

Authorized Exchange Servers
Secure Email Gateways (SEGs) (e.g., Proofpoint, Mimecast, IronPort)
Marketing/Newsletter Servers (if explicitly authorized to send direct mail)

General Recommendations

Egress Filtering: Strictly enforce firewall rules that block TCP port 25 from all internal IPs except designated mail servers.
Internal Relaying: Set up an internal SMTP relay for printers and applications, preventing them from needing direct internet access.
Traffic Analysis: Monitor for traffic on port 25 that is not SMTP (protocol mismatch), which often indicates malware tunneling.
Rate Limiting: Implement rate limiting on internal relays to detect compromised hosts trying to flood the network with spam.
DLP Implementation: Ensure all outbound mail goes through a gateway that enforces Data Loss Prevention policies.
Regular Audits: Periodically audit firewall rules to ensure no temporary "allow" rules for SMTP were left open.
Employee Training: Educate staff on the dangers of enabling "scan to email" or "alert to email" features on devices without consulting IT.

Troubleshooting:
The report is empty

No SMTP Traffic Detected (TCP/25): No devices are attempting direct-to-internet mail delivery in the timeframe provided for the report.

Page updated

Report abuse