Ask Your Question

Revision history [back]

Hi Bob,

You can start by looking at who was the sender and recipient of mail using SMTP filters.

After a client connect to an SMTP servers, the commands are (very) basically this:

mail from:[email protected]
rcpt to:[email protected]
data
<TEXT GOES HERE>
. (dot to signal)

You can use smtp.req.command == "mail" to display packets where the sender email is entered.

You can use smtp.req.command == "rcpt" to display packets where the recipient of an email is entered.

You can then see if any email look suspicious.

You then would need to look at all packets for that SMTP session to find out if the email did go through.

It's probably best to use "Follow TCP Stream" when you want to look at all packets.

You can use the following filters to dig deeper but may need to use them with tcp.stream == <streamID> &&

You could look for "250" response code containing "Message accepted for delivery" but this message would be very dependent on the software used on the SMTP server. It may not be there at all.

Trying this filter smtp.response.code == 250 is a start but all successful SMTP commands may return code 250.

This filter is probably better smtp.response.code == 250 && smtp.rsp.parameter contains "accepted for delivery"

Again, not sure what the server may respond with.

You should look at RFC 5321 for more information on the SMTP protocol.

Hope this helps.

Cheers,

Spooky

Hi Bob,

You can start by looking at who was the sender and recipient of mail using SMTP filters.

After a client connect to an SMTP servers, the commands are (very) basically this:

mail from:[email protected]
rcpt to:[email protected]
data
<TEXT GOES HERE>
. (dot to signal)

You can use smtp.req.command == "mail" to display packets where the sender email is entered.

You can use smtp.req.command == "rcpt" to display packets where the recipient of an email is entered.

You can then see if any email look suspicious.

You then would need to look at all packets for that SMTP session to find out if the email did go through.

It's probably best to use "Follow TCP Stream" when you want to look at all packets.

You can use the following filters to dig deeper but may need to use them with tcp.stream == <streamID> &&

You could look for "250" response code containing "Message accepted for delivery" but this message would be very dependent on the software used on the SMTP server. It may not be there at all.

Trying this filter smtp.response.code == 250 is a start but all successful SMTP commands may return code 250.

This filter is probably better smtp.response.code == 250 && smtp.rsp.parameter contains "accepted for delivery"

Again, not sure what the server may will respond with.with if anything at all. (It's ransomware after all)

You should look at RFC 5321 for more information on the SMTP protocol.

Hope this helps.

Cheers,

Spooky