Detecting E-mail Anomalies

the total number of SYNs sent and put this in a special type of report.You
should be able to use the daily summarization to determine which hosts are
sending e-mail. Once you know what is normal for your site, you can ask
yourself two questions:
1. Are there new hosts sending e-mail that we didn’t know about
before?
2. Are there hosts sending e-mail that seem to fail a lot?
The second question here should be taken with a large grain of salt. E-
mail, more than most applications, is failure prone. E-mail servers try over and
over again for days at a time before they give up. On the other hand, it could
mean something significant if a host sending e-mail never succeeds. In that
case, you might simply have a communication or configuration problem that
needs to be addressed. For example, one concrete problem we have seen are
off-campus e-mail servers trying to talk to a campus e-mail server via a DNS
name, where the DNS name exists but the host itself is gone and is never
coming back. On the other hand, normal e-mail servers are not likely to
always fail. Furthermore, they will typically not try to make as many connec-
tions as a spam-sending system.
The port report is a little different in both the 30-second and summa-
rized versions because for each host ourmon computes an e-mail-specific
TCP work weight. Usually the work weight is for all the applications on a
given host. In this case it is e-mail port-specific for a given host.The e-mail
ports are defined as 25 (SMTP), 587 (submission), and 465 (secure SMTP).
Put another way, there is a second e-mail packet-only work weight computed
in the same fashion as the normal TCP work weight. We also count all e-mail
SYN packets. Let’s take a quick look at the data formats to see how they
differ. First we look at the 30-second report (see Table 7.7) and then we look
at the summarization. We will only look at one data example in both cases.
This system is a normal, busy e-mail server on our campus.

Download 6,98 Mb.

Do'stlaringiz bilan baham: