2.10. Using Bro to Identify Top E-Mail Senders/Receivers

As Bro is capturing and logging several application protocols, one that has mixed results is the SMTP module. When combined with the MIME module, the SMTP module can be very powerful in helping to identify several of the "Marcus Ranum" top mail-related statistics (Chapter 1). These are useful statistics such as top mail sender, top mail receiver, top mail server sender, and top mail server receiver. These types of data can be helpful and beneficial to both the security teams as well as to the operational side of the house. For example, if you were to show the mail administrators those top statistics they could more than likely discover a spam host and issue a block for that domain or IP space. Although showing who the top mail sender is could be useful in discovering the user who is sending out the most e-mails, this could be dug into deeper to find out what they are sending out. As for the top mail receiver this could be useful in determining targeted or compromised e-mail accounts. As you can see these are only some examples of what type of information you can get out of BRO smtp logs.

Some of the information that can be gathered from Bro for e-mail includes: