My Boss came to me with an interesting one this morning and I thought that this may be of use to someone else in the future:-

The Situation: An ex-exployee is sending inappropriate, obscene, threatening etc. emails to a group of existing employees. Boss does not want the emails to reach the intended recipients due to the offensive content _but_ Boss want's to see the content so that she can tell if the offender is "escalating" the attack.

The Environment: I have two options to block the mail.

1. I can place a "denied from" rule in on the Firewall's SMTP proxy. This will block the mail by the sender but the data itself will not be sent because the firewall sender an error "Sender not allowed" terminating the email transaction prior to the transmission of the data itself. Thus, this won't work.

2. I can place the sender on the Blacklist of the spam filter. The problem with this little solution is that I delete all email from the Blacklist. I can't alter the rule to keep the mail from an individual and delete the rest and I don't want to have to go through the mail every day looking for the sender.

NOTE: I can't forward email "from" someone to another mailbox on Exchange Server or I would have done.

The Solution: Trusty old Snort of course.... ;)

Edit the snort.conf file for an external sensor and add an output plugin as follows:-

output database: log, mysql, user=username dbname=dbname sensor_name=External sid=1 password=password host=192.168.1.1

This will capture the tagged packets we are about to create.

In your local rules add the following rule, (make sure you have local rules enabled on the external sensor in it's snort.conf):-

log tcp any any -> $SMTP_SERVERS 25 (msg: "Offensive Email Caprured"; flow: to_server; content: "from|3A|"; nocase; content: "baduser@hisdomain"; within: 50; tag: host,100,packets; classtype: bad-unknown;)

This rule looks first for the content "from:" regardless of the case, (nocase). Then if, within 50 characters, (to capture the specific "Mail from: baduser@baduser.com" while not catching all the other stuff in the headers), it looks for the offender's email address.

If it finds the appropriate content it then goes into action. The rule starts with "log" rather than "alert" so Snort will log the packet along with the content. But it goes further... It "Tags", (captures), the next 100 packets associated with the host and logs them to the database so the data session can be reconstructed.

I tested this with both attachments and without. It easily captures the 20kb file I attached though it wouldn't capture a big picture or execuatable for example. It will capture the start of the attachmant and I should be able to identify the file type they tried to send even if I don't see the whole thing. If you want the whole thing change the "100" in the tag: statement to something you think is more appropriate.

Hope someone finds this of use in the future.