mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
b8dc6ad120
An invalid mail transaction is determined as
* RCPT TO command without a preceding MAIL FROM
* a DATA command without a preceding RCPT TO
and logged as a weird.
The testing pcap for invalid mail transactions was produced with a Python
script against a local exim4 configured to accept more errors and unknown
commands than 3 by default:
# exim4.conf.template
smtp_max_synprot_errors = 100
smtp_max_unknown_commands = 100
See also: https://www.rfc-editor.org/rfc/rfc5321#section-3.3
13 lines
1.2 KiB
Text
13 lines
1.2 KiB
Text
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path smtp
|
|
#open XXXX-XX-XX-XX-XX-XX
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth helo mailfrom rcptto date from to cc reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent tls fuids
|
|
#types time string addr port addr port count string string set[string] string string set[string] set[string] string string string string addr string string string vector[addr] string bool vector[string]
|
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 44478 127.0.0.1 25 1 Bob-PC bob@example.org alice@example.org - - - - - - - - - - - 250 OK id=1pgobK-001mwq-ED 127.0.0.1,127.0.0.1 - F (empty)
|
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 44478 127.0.0.1 25 2 Bob-PC - alice@example.org - - - - - - - - - - - 500 unrecognized command 127.0.0.1,127.0.0.1 - F (empty)
|
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 44478 127.0.0.1 25 2 Bob-PC bob@example.org - - - - - - - - - - - - 500 unrecognized command 127.0.0.1,127.0.0.1 - F (empty)
|
|
#close XXXX-XX-XX-XX-XX-XX
|