We are excited to announce the release of a new threat detection type – Spambot detection that targets suspicious activity on Port 25.

A Spambot detection alerts you that a resource in your environment is abnormally communicating with a remote host most commonly via port 25.

What is SMTP?

Simple Mail Transfer Protocol (SMTP) is an email protocol and one of multiple internet protocols that use plaintext, meaning that the communication is easy to see and read. When sending plaintext, SMTP uses port 25. Many firewalls and end-user networks block port 25, since spammers try to abuse it and send large amounts of spam.

Indicators of Compromise

There are several ways that SMTP can be used for malicious purposes, including phishing and spam emails, as well as being used by an attacker in reconnaissance when preparing for an attack.

Upwind’s Spambot detection informs you that a resource within your environment is abnormally communicating with a remote host on port 25, with no prior history of communications on port 25 between this resource and host. This behavior could indicate that a malicious actor has accessed a workload and executed a spambot leading to abnormal SMTP traffic.

There are several kinds of common Spambot attacks, including:

  1. Spam and phishing emails: an attacker compromises an organization’s mail server and sends phishing emails from a compromised account. 
  2. Emailing malwares: while less common in recent years, mass-mailer malware worms have historically been sent to distribute malware through email when opened by the recipient.
  3. Credential stealing: an attacker discovers email addresses and sends spam to try to gain their credentials to online services. Attackers can also use SMTP with a VRFY command to validate email addresses.

Spambot attacks are common, and they can pose a significant danger to organizations if an attacker is able to gain access to a workload and execute a spambot, potentially leading to attacks such as those listed above, or to carrying out reconnaissance ahead of a larger planned attack on your infrastructure or network.

Upwind leverages runtime data to rapidly identify unusual port 25 communication and immediately alert you to suspicious activity. Read more about Spambot detections in the Upwind Documentation Center.