smtp: Validate mail transaction and disable SMTP analyzer if excessive

An invalid mail transaction is determined as * RCPT TO command without a preceding MAIL FROM * a DATA command without a preceding RCPT TO and logged as a weird. The testing pcap for invalid mail transactions was produced with a Python script against a local exim4 configured to accept more errors and unknown commands than 3 by default: # exim4.conf.template smtp_max_synprot_errors = 100 smtp_max_unknown_commands = 100 See also: https://www.rfc-editor.org/rfc/rfc5321#section-3.3
2025-10-02 06:38:20 +00:00 · 2023-03-23 17:13:52 +01:00 · 2023-03-23 17:13:52 +01:00 · b8dc6ad120
commit b8dc6ad120
parent 0eccd8a7a2
14 changed files with 1649 additions and 1506 deletions
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -205,6 +205,8 @@ export {
 		["RST_with_data"]                       = ACTION_LOG,
 		["SSL_many_server_names"]               = ACTION_LOG,
 		["simultaneous_open"]                   = ACTION_LOG_PER_CONN,
+		["smtp_mail_transaction_invalid"]       = ACTION_LOG_PER_CONN,
+		["smtp_excessive_invalid_mail_transactions"] = ACTION_LOG_PER_CONN,
 		["spontaneous_FIN"]                     = ACTION_IGNORE,
 		["spontaneous_RST"]                     = ACTION_IGNORE,
 		["SMB_parsing_error"]                   = ACTION_LOG,