SpamBot Traffic

The
SpamBot Traffic
Analytics alert indicates that a non-SMTP server is connecting to an excessive number of external endpoints.

Synopsis

1 hour
3 days
None. All limit values are predetermined.
3 days
Any of the following:
  • Palo Alto Networks firewall traffic logs
  • Check Point firewall traffic logs
  • Cisco firewall traffic logs
  • Fortinet firewall traffic logs
  • Cortex XDR agent endpoint data
Severity
Varies by activity (High, Medium, or Low).

Description

A non-SMTP server is connecting to an excessive number of external endpoints. The detector looks for SMTP connections to external endpoints, but the volume of traffic is not considered. A count is performed based on the number of domains to which the non-SMTP process is connecting, as well as the number of unresolved IP addresses the process is using.

Investigative Actions

  • Verify that the source is not an SMTP server. If Cortex XDR Analytics has failed to identify the process as a valid SMTP server, this alert will be a false positive.
  • Verify that IP addresses are actually not being resolved by the non-SMTP process. If the process is performing DNS resolution with a DNS service outside of your network, it is possible (depending on your network topology) that Cortex XDR Analytics will not observe that traffic. Because SMTP services typically use a large number of IP addresses, this situation could cause a process to exceed a limit when it would otherwise fail to do so.
  • If the SMTP connection activity proves to be the result of malicious file activity, search in the
    Triage
    page for other endpoints infected with the file.

Recommended For You