Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Email Contexts

These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups for email as match conditions in IDP policy rules.

Service Contexts: IMAP

The table displays the security context details for IMAP:

Table 1: Service Contexts: IMAP

Context and Direction

Description

Example of Contexts

imap-append (CTS)

Matches the e-mail contents in an IMAP append message.

IMAP transaction showing an APPEND command with tag a002 and a yellow-highlighted truncated folder name.

imap-append-line (CTS)

Matches arguments of IMAP Append command line in an IMAP session.

IMAP transaction with APPEND command to inbox; test data includes repeated A characters, a line break, and inbox highlighted in yellow.

imap-authenticate (CTS)

Matches arguments of IMAP Authenticate command in an IMAP session.

IMAP transaction example highlighting cram-md5 authentication with request format a001 authenticate cram-md5 and context usage imap-authenticate pattern cram-md5.

imap-banner-(STC)

Matches arguments of the fist untagged OK response from an IMAP session.

IMAP transaction showing server response: Domino IMAP4 Server Release 9.0.1 ready on Mon, 29 May 2017. Context: imap-banner pattern Server.

imap-command (CTS)

Matches each IMAP command name in an IMAP session.

IMAP transaction field example showing command a001 LOGIN admin vat foobar with breakdown of request tag a001, command LOGIN, username admin, and password foobar.

imap-command-line (CTS)

Matches each IMAP command name and arguments in an IMAP session.

IMAP transaction example showing a login command with tag a001, command LOGIN, username admin vrt, and password foobar.

imap-copy (CTS)

Matches arguments of IMAP Copy command in an IMAP session.

imap-create (CTS)

Matches arguments of IMAP Create command in an IMAP session.

imap-delete (CTS)

Matches arguments of IMAP Delete command in an IMAP session.

IMAP transaction delete command with tag 2 targeting folder with repeated A characters; end line is backslash r backslash n.

imap-deleteacl (CTS)

Matches arguments of IMAP DeleteACL command in an IMAP session.

imap-examine (CTS)

Matches arguments of IMAP Examine command in an IMAP session.

imap-fetch (CTS)

Matches arguments of IMAP Fetch command in an IMAP session.

IMAP transaction field with header, truncated line 3 FETCH 1, and highlighted repeated letter A pattern. Context usage example shows imap-fetch pattern AAAAA.

imap-getacl (CTS)

Matches arguments of IMAP GetACL command in an IMAP session.

imap-list (CTS)

Matches arguments of IMAP List/RList command in an IMAP session.

Example of an IMAP transaction field labeled a002 LIST with a truncated, lengthy character string.

imap-listrights (CTS)

Matches arguments of IMAP ListRights command in an IMAP session.

imap-login (CTS)

Matches arguments of IMAP Login command in an IMAP session.

IMAP transaction field with login command; username admin vrt, password foobar. Username admin vrt highlighted in yellow.

imap-lsub (CTS)

Matches arguments of IMAP LSUB/RLSUB command in an IMAP session.

IMAP transaction example with tag j747 and command LSUB, showcasing a long encoded string and context pattern YtHQyQ.

imap-mailbox (CTS)

Matches each mailbox name in an IMAP session.

Example of an IMAP transaction selecting the INBOX folder with command details and context usage for mailbox pattern identification.

imap-myrights (CTS)

Matches arguments of IMAP MyRights command in an IMAP session.

imap-rename (CTS)

Matches arguments of IMAP Rename command in an IMAP session.

imap-search (CTS)

Matches arguments of IMAP Search command in an IMAP session.

IMAP search request with tag 4, command SEARCH, folder ON, followed by a long string of A characters.

imap-select (CTS)

Matches arguments of IMAP Select command in an IMAP session.

IMAP transaction example with command SELECT INBOX selecting the INBOX folder for operations.

imap-setacl (CTS)

Matches arguments of IMAP SetACL command in an IMAP session.

imap-status (CTS)

Matches arguments of IMAP Status command in an IMAP session.

IMAP transaction with STATUS command showing a request tag 2 and folder section truncated by A characters highlighted in yellow.

imap-store (CTS)

Matches arguments of IMAP Store command in an IMAP session.

imap-subscribe (CTS)

Matches arguments of IMAP Subscribe command in an IMAP session.

imap-uid (CTS)

Matches arguments of IMAP UID command in an IMAP session.

imap-unsubscribe (CTS)

Matches arguments of IMAP Unsubscribe command in an IMAP session.

imap-user (CTS)

Matches the IMAP user name in an IMAP session.

IMAP transaction example showing a login request line: a001 LOGIN admin vrt foobar. Highlights username admin vrt as admi in yellow.

Service Contexts: PoP3

The table displays the security context details for PoP3:

Table 2: Service Contexts: POP3

Context and Direction

Description

Example of Contexts

pop3-apop (CTS)

Matches the arguments of the APOP command in a POP3 session.

pop3-auth (CTS)

Matches the arguments of the AUTH command in a POP3 session.

POP3 authentication field example highlighting command injection pattern with /bin/sh and pop3-auth pattern for detection.

pop3-command (CTS)

Matches each of the POP3 command names in a POP3 session.

POP3 transaction example with client-server interaction during authentication. Highlights USER command usage in POP3 protocol.

pop3-command-line (CTS)

Matches each command line in a POP3 session.

POP3 transaction example with USER and PASS commands, context usage pattern for analyzing POP3 commands.

pop3-data-line (STC)

Matches lines in the e-mail body of an POP3 transaction.

pop3-data-text-html (STC)

Matches lines in a text/html MIME attachment in the body of an POP3 transaction.

HTML snippet with quoted-printable encoding shows a suspicious iframe with src pointing to foobar.exe indicating potential malware delivery via email.

pop3-data-text-plain (STC)

Matches lines in a text/plain MIME attachment in the body of an POP3 transaction.

Field in a POP3 transaction showing text/plain content type with charset us-ascii and format flowed. Highlighted string of A characters suggests buffer overflow testing. Below is a regular expression pattern for identifying data in POP3 transactions.

pop3-dele (CTS)

Matches the arguments of the DELE command in a POP3 session.

POP3 transaction showing deletion of message 1 with server confirmation and session termination. Context highlights the pop3-dele pattern referencing message 1.

pop3-header

Matches pop3 header

Example of a POP3 transaction showing email retrieval with the RETR command. Highlights Message-ID field. Includes headers Date, From, MIME-Version. Regular expression for extracting message-id: message-id: <[A-Za-z0-9]+>.

pop3-header-comment (STC)

Matches the Comment: header of an e-mail in a POP3 transaction.

pop3-header-from (STC)

Matches the From: header of an e-mail in a POP3 transaction.

Email header example in POP3 transaction showing 'From' field with obfuscated sender address for illustrative purposes. Context usage note on 'pop3-header-from' pattern with value LMI indicating header information extraction.

pop3-header-line (STC)

Matches each header line of an e-mail in POP3 transaction.

pop3-header-reply-to (STC)

Matches the Reply-To: header of an e-mail in a POP3 transaction.

From james@american.secteam.juniper.net message-ID 002c01c49791$51c036a0$de069d0a@yakima reply-to james@american.secteam.juniper.net highlighted in yellow to sample@american.secteam.juniper.net subject dsdsad.

pop3-header-sender (STC)

Matches the Sender: header of an e-mail in a POP3 transaction.

pop3-header-subject (STC)

Matches the Subject: header of an e-mail in a POP3 transaction

POP3 transaction showing email Subject field with value 6qyIcdDATL8QbKNgInrceaZn7XKBcxSWV9K4 analyzed using pattern 6qy.

pop3-header-to (STC)

Matches the To: header of an e-mail in a POP3 transaction.

Example of a POP3 email transaction showing headers like Message-ID, Date, From, MIME-Version, and To. The To field, highlighted in yellow, includes a pattern vJZ7.

pop3-header-x-field (STC)

Matches each extended header (that start with X-) of an e-mail in a POP3 transaction.

X-Priority field highlighted in yellow with a value of 3 used as a pattern in a POP3 transaction context example.

pop3-header-x-mailer (STC)

Matches the X-Mailer: header of an e-mail in a POP3 transaction.

Metadata from an email header in a POP3 transaction showing boundary, X-Priority, X-MSMail-Priority, and X-Mailer fields with context usage of X-Mailer in pattern matching.

pop3-list (CTS)

Matches the arguments of the LIST command in a POP3 session.

POP3 transaction with command LIST h1A f1 and error response -ERR Message 0 does not exist; context focus on analyzing pop3-list pattern: f1.

pop3-mime- content-data (STC)

Matches the first 64 bytes of the base-64 decoded MIME attachment data in a POP3 session.

POP3 field example showing email attachment metadata: Content-Type application/octet-stream with name mNTNAhB21nBFCb.Wmf, base64 encoding, and downloadable disposition.

pop3-mime- content-filename (STC)

Matches the content filename of a MIME attachment in a POP3 session.

POP3 transaction field showing metadata for an email attachment: Content-Type as application/octet-stream, Content-Transfer-Encoding as base64, and Content-Disposition with filename mNTNAhB21nBFCb.Wmf. Filename mNTNAhB21nBFCb.Wmf is highlighted, indicating importance. Context pattern pop3-mime-content-filename pattern: mNTN suggests filename filtering or identification.

pop3-mime- content-name (STC)

Matches the content name of a MIME attachment in a POP3 session.

Example of a POP3 field showing email attachment metadata: Content-Type application/octet-stream, Name mNTNAhB21nBFCb.Wmf, Content-Transfer-Encoding base64, Content-Disposition attachment; Context usage highlights pattern mNTN from filename.

pop3-retr (CTS)

Matches the arguments of the RETR command in a POP3 session.

POP3 transaction example showing client-server email interaction. LIST command lists one message; RETR 1 retrieves it.

pop3-top (CTS)

Matches the arguments of the TOP command in a POP3 session.

pop3-uidl (CTS)

Matches the arguments of the UIDL command in a POP3 session.

pop3-user (CTS)

Matches the user name of a POP3 session.

POP3 transaction example showing client-server interaction during authentication with username test and password blarg highlighted.

pop3-xtnd (CTS)

Matches the arguments of the XTND command in a POP3 session.

Service Contexts: SMTP

The table displays the security context details for SMTP:

Table 3: Service Contexts: SMTP

Context and Direction

Description

Example of Contexts

smtp-banner (STC)

Matches the banner returned by the server at the start of an SMTP transaction.

SMTP server response showing a banner and communication sequence with HELO, MAIL FROM, RCPT TO commands, and error 550.

smtp-command-line (CTS)

Matches any SMTP command line.

SMTP transaction showing server response 220 river.fscinternet.com ESMTP Sendmail and client command HELO fscinternet.com with HELO command emphasized.

smtp-data-line (CTS)

Matches lines in the e-mail body of an SMTP transaction.

SMTP request example showing iCalendar data in an email. Highlights fields like DAYLIGHT, DTSTART, RRULE, and VEVENT, used for daylight saving and calendar events.

smtp-data-text-html (CTS)

Matches lines in a text/html MIME attachment in the body of an SMTP transaction.

SMTP request field example showing HTML content encoding using Content-Type text/html and Content-Transfer-Encoding quoted-printable.

smtp-data-text-plain (CTS)

Matches lines in a text/plain MIME attachment in the body of an SMTP transaction.

SMTP request field highlighting ActMon report with 256-bit AES encryption, version V5.20, purchase link, and context pattern.

smtp-from (CTS)

Matches the contents of the MAIL, SAML, SEND, and SOML commands.

SMTP transaction example showing email fields: DATA command, server response, sender's email keys@keys.com, recipient's email myu@fscinternet.com, subject WINXPPRO 4. Context usage pattern matches sender's email.

smtp-header (CTS)

Matches any unfolded header in the SMTP data.

Content-Disposition specifies attachment with filename ieeEFu3HpZPfU4.aU in SMTP request example focusing on content type and disposition.

smtp-header-comment (CTS)

Matches the Comment: header in the SMTP data.

smtp-header-from (CTS)

Matches the From: header in the SMTP data.

SMTP request example with DATA command, email headers like X-OEM, Date, To, and highlighted From field showing email address myu@fscinternet.com. Context pattern smtp-header-from with myu.

smtp-header-line (CTS)

Matches any header lines in the SMTP data.

SMTP email headers example with DATA command, sender email keys@keys.com, recipient email myu@fscinternet.com, and subject WINXPPRO, highlighting use of encoded characters and regex pattern for From field.

smtp-header-reply-to (CTS)

Matches the Reply-To: header in the SMTP data.

SMTP request field example showing recipient hahosoya@kurims.kyoto-u.ac.jp and reply-to pattern voyages for context-based processing.

smtp-header-sender (CTS)

Matches the Sender: header in the SMTP data.

smtp-header-subject (CTS)

Matches the Subject: header in the SMTP data.

SMTP request field showing email header structure: Date, To, From, Subject highlighted in yellow, User, X-Priority. Context note: smtp-header-subject pattern matches Report in subject.

smtp-header-to (CTS)

Matches the To: header in the SMTP data.

SMTP request field structure showing email header details: Date sent Mon 28 Feb 2005 17:11:12 -0500 To myu@fscinternet.com highlighted From myu@fscinternet.com Subject Report No. 1 Current User VRT X-Priority Normal. Example of context usage shows pattern match for myu in smtp-header-to field.

smtp-header-x-field (CTS)

Matches all extended headers that start with X- in the SMTP data.

SMTP request with fields for date, time, recipient, sender, subject, user, and highlighted X-Priority field indicating Normal priority. Context usage shows smtp-header-x-field pattern: Normal.

smtp-header- x-mailer (CTS)

Matches the X-Mailer: header in the SMTP data.

SMTP request example with X-Priority set to 3 normal, X-MSMail-Priority set to Normal, X-Mailer highlighted showing 220171 ANSMTP 868. Context usage mentions smtp-header-x-mailer pattern ANSMTP.

smtp-header- x-originating-ip

Matches the X-Originating-ip header in the SMTP data.

SMTP request example highlighting fields for To, Subject, From, X-Originating-IP, and Message-Id, focusing on X-Originating-IP for tracking.

smtp-mime- content-data (CTS)

Matches the first 64 bytes of the base-64 decoded MIME attachment data in an SMTP session.

smtp-mime- content-filename (CTS)

Matches the content filename of a MIME attachment in an SMTP session.

SMTP request example showing Content-Transfer-Encoding as base64 and an attachment with filename No[]-#VRT#WINXPPRO#.dat. Context highlights identifying SMTP MIME content filenames for attachments.

smtp-mime- content-name (CTS)

Matches the content name of a MIME attachment in an SMTP session.

SMTP request field example showing email attachment metadata: Content-Type as application/octet-stream, Content-Transfer-Encoding as base64, and Content-Disposition with filename NoI-#VRT#WINXPPRO#.dat.

smtp-pdf (ANY)

smtp-pdf

smtp-rcpt (CTS)

Matches the contents of the RCPT command in an SMTP transaction.

SMTP request field showing RCPT TO command with recipient myu@fscinternet.com followed by DATA command and context pattern usage.

smtp-reply- 100-line (STC)

Matches the SMTP 1yz Positive Preliminary reply.

smtp-reply- 200-line (STC)

Matches the SMTP 2yz Positive Completion reply.

SMTP example: server response 220 river.fscinternet.com and command HELO fscinternet.com. Context usage: smtp-reply-200-line pattern fscinternet.

smtp-reply- 300-line (STC)

Matches the SMTP 3yz Positive Intermediate reply.

SMTP request with DATA command and server response 354 Enter mail. Email fields: From keys@keys.com, To myu@fscinternet.com, Subject WINXPPRO ,4. Context: smtp-reply-300-line pattern mail.

smtp-reply- 400-line (STC)

Matches the SMTP 4yz Transient Negative Completion reply.

smtp-reply- 500-line (STC)

Matches the SMTP 5yz Permanent Negative Completion reply.

SMTP request shows recipient email moneyhunter99@daum.net with 550 Relaying is prohibited response highlighted.

smtp-reply- line (STC)

Matches the SMTP reply line.

Server response line with server name river.fscinternet.com, ESMTP, Sendmail version, and timestamp. HELO command with domain fscinternet.com. Highlighted pattern: ESMTP.