cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
0
Helpful
3
Replies

SMTP IDS Spam

hoomanp
Level 1
Level 1

I have setup the SMTP audit on my C3640 but I still have several spaming IPs and my mail server keep droping those e-mail relay.

I add up the

ip audit smtp spam 25 and

ip audit name Audit.1 attack action

But still some one spams.

07:47:55: %SEC-6-IPACCESSLOGP: list SEC permitted tcp 216.164.232.13(1541) -> 21

3.29.68.7(25), 6 packets

any commets?

3 Replies 3

hcombee
Level 1
Level 1

can't you stop the spam at the mailserver?

thomas.chen
Level 6
Level 6

This is IDS that is generating the SPAM?

scircular
Level 1
Level 1

hi,

i am wondering what you try to achieve.

with 'ip audit smtp spam 25' you tell the router that the max. number of recipients is 25.

until that limit is reached every mail is accepted and so the log entry is ok.

you can't configure the router for anti-relaying.

(sorry, you can: acl to prevent certain ip-addresses to send mail to your server, but that's another thing)

the number of recipients is the only indicator for the router to 'assume' a spam attack.

according to the cisco ios documentation:

3106 Mail Spam (Attack, Compound)

Counts number of Rcpt to: lines in a single mail message and alarms after a user-definable maximum has been exceeded (default is 250).

regards

ralf krist