Results 1 to 6 of 6

Thread: Capture Email content yet block the mail

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002

    Capture Email content yet block the mail

    My Boss came to me with an interesting one this morning and I thought that this may be of use to someone else in the future:-

    The Situation: An ex-exployee is sending inappropriate, obscene, threatening etc. emails to a group of existing employees. Boss does not want the emails to reach the intended recipients due to the offensive content _but_ Boss want's to see the content so that she can tell if the offender is "escalating" the attack.

    The Environment: I have two options to block the mail.

    1. I can place a "denied from" rule in on the Firewall's SMTP proxy. This will block the mail by the sender but the data itself will not be sent because the firewall sender an error "Sender not allowed" terminating the email transaction prior to the transmission of the data itself. Thus, this won't work.

    2. I can place the sender on the Blacklist of the spam filter. The problem with this little solution is that I delete all email from the Blacklist. I can't alter the rule to keep the mail from an individual and delete the rest and I don't want to have to go through the mail every day looking for the sender.

    NOTE: I can't forward email "from" someone to another mailbox on Exchange Server or I would have done.

    The Solution: Trusty old Snort of course.... ;)

    Edit the snort.conf file for an external sensor and add an output plugin as follows:-

    output database: log, mysql, user=username dbname=dbname sensor_name=External sid=1 password=password host=

    This will capture the tagged packets we are about to create.

    In your local rules add the following rule, (make sure you have local rules enabled on the external sensor in it's snort.conf):-

    log tcp any any -> $SMTP_SERVERS 25 (msg: "Offensive Email Caprured"; flow: to_server; content: "from|3A|"; nocase; content: "baduser@hisdomain"; within: 50; tag: host,100,packets; classtype: bad-unknown;)

    This rule looks first for the content "from:" regardless of the case, (nocase). Then if, within 50 characters, (to capture the specific "Mail from: baduser@baduser.com" while not catching all the other stuff in the headers), it looks for the offender's email address.

    If it finds the appropriate content it then goes into action. The rule starts with "log" rather than "alert" so Snort will log the packet along with the content. But it goes further... It "Tags", (captures), the next 100 packets associated with the host and logs them to the database so the data session can be reconstructed.

    I tested this with both attachments and without. It easily captures the 20kb file I attached though it wouldn't capture a big picture or execuatable for example. It will capture the start of the attachmant and I should be able to identify the file type they tried to send even if I don't see the whole thing. If you want the whole thing change the "100" in the tag: statement to something you think is more appropriate.

    Hope someone finds this of use in the future.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Tiger~ and anyone else...............just PM me and I will set up a suitable receptacle

    Then we can have a look..............I worked at a place once where I got all sorts of stuff..........I was discrete............the guys played along...........they would just forward stuff they did not trust.

    I never let them down.............nor did I look at young Sue's photos..................and she was a fine looking young lady

    I believe it is called "trust" or something old fashioned like that?

  3. #3
    Senior Member
    Join Date
    Jan 2005

    A nice idea on extending the capabilities of the Tools

    A nice idea on extending the capabilities of such Tools

    Way-d-go TS!

    I'd remember one scenario with the idea that a programmer in my previous company have done to capture the data without interrupting the operation of the company. He had mention using his program (VB) to capture packets between the Network Controller Cards and the MS SQL Server (forgive me about missing some details here and if ever I might not answer as to how everything works, LoLz). I was just amazed how data is actually being retrieved without affecting the operation itself. Ofcourse someone could have decided to compromise the operation just to get the job done, but having a guy that is smart enough to do the work around really makes sense.

    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)

  4. #4
    Senior Member
    Join Date
    Mar 2005


    Great idea and nice work, Tigershark!

    Here's a question:

    What version of Exchange server was it?
    Beta tester of "0"s and "1"s"

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Exchange 2000
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    ********** |ceWriterguy
    Join Date
    Aug 2004
    VERY well done. Hope the boss gets to slam the ex-employee in court. Keep us posted?

    [edit] You must spread your AntiPoints around before giving it to Tiger Shark again. grrrrr. Someone green him for me?[/edit]
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts