SpamBot Traffic

The Cortex XDR – Analytics SpamBot Traffic alert indicates that a non-SMTP server is connecting to an excessive number of external endpoints.

Synopsis

1 hour.
3 days.
None. All limit values are predetermined.
3 days.
Traffic logs or Traps endpoint data.
Execution.

Description

A non-SMTP server is connecting to an excessive number of external endpoints. The detector looks for SMTP connections to external endpoints, but the volume of traffic is not considered. A count is performed based on the number of domains to which the non-SMTP process is connecting, as well as the number of unresolved IPs the process is using.

Investigative Actions

  • Verify that the source is not an SMTP server. If Cortex XDR – Analytics has failed to identify the process as a valid SMTP server, this alert will be a false positive.
  • Verify that IPs are actually not being resolved by the non-SMTP process. If the process is performing DNS resolution with a DNS service outside of your network, it is possible (depending on your network topology) that Cortex XDR – Analytics will not observe that traffic. Because SMTP services typically use a large number of IP addresses, this situation could cause a process to exceed a limit when it would otherwise fail to do so.
  • If the SMTP connection activity proves to be the result of malicious file activity, search in the Triage page for other endpoints infected with the file.

Related Documentation