System Rule: Client Exploit - Mass Mailing Worm

joelewko98 · ‎10-23-2008

Hello all,

The rule System Rule: Client Exploit - Mass Mailing Worm, fires quite often in my setup of mars, and I havent really been able to setup any trends, as we have a large base of legit mail traffic. Im worried I will filter out legit mail IP's by setting up ACL's, and on the flip side I dont want miss any events if I fine tune to not alert and log to db only.

Does anybody have a similar scencario? If so how do you go about baselining the mail traffic, and/or tweaking the rule to benefit your environment (20 count in this rule seems kind of low to me..?)

Thanks

Farrukh Haroon · ‎10-24-2008

This event is mostly generated by the DENY ACL events reported from firewalls. You have to make 'Drop Rules' in MARS to tune false positives or should I say 'don't care' events.

For example at one site we had a customer guest zone (wireless), it generated the most amount of such events, so had to make a drop rule for that zone after making sure the ACL was as specific as possible. After all do I care if a contractor forgot to close his p2p software? (as long as its blocked).

Regards

Farrukh

rajett · ‎10-29-2008

Hi,

What IP addresses is it alerting on? Are these IP addresses the addresses for your legitimate servers?

If an excessive amount of emails are sent by a single host (>20 per minute) then the rule fires.

This is indicative of someone doing a mass mailing from a PC or a worm/virus spreading by sending emails out to everyone in your contacts list.

To tune it, you'll need to create a group of mail server hosts and create an exception for those hosts in the Source IP field of the rule.

The downside to tuning is that if those machines get infected by a mass mailing worm/virus then the messages will be tuned out as part of the exception.

Raymond

joelewko98 · ‎11-12-2008

Raymond,

In the environment I am in (and I am guessing most people are in) we get legitimate email from outside mail servers that fires this rule often. We are a mid to large size company so we get alot of mail flow. The problem is that the legitimate mail comes in from all over especially to our marketing department and varies week to week (sometimes day to day), I am sure that this is common with other users setups ( no? anybody have the same environment? ).

I am just curious as to how to "tune" this rule to still be alert for mass mailing, but rule out any normal traffic.

Is setting the count to 50 to high? Would setting the rule to only check for Internal IP's be an accurate way to look for mass mailing worms?

Appreciate any advise (sorry for the delay in responding)

jnommensen · ‎11-12-2008

Are there common destinations for your email traffic? I have been able to successfully tune out legit mail traffic while catching compromised email accounts sending spam by copying the rule and adjusting the threshold. All of our mail goes through our mail encryption servers and gets sent to relays from there so these two servers are the only sources I have to focus on. I also made a custom hourly report that has these two servers as the source. Now when the copied rule is triggered I can look at the report and get a pretty detailed graph in near real time that shows how big a spike we are seeing in SMTP and make a judgment on whether it's spam activity or not.