The True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Arrow pointing leftBlog

Look Who's Talking

The ability to monitor Simple Mail Transfer Protocol (SMTP) performance is more powerful than you think.

Christine Shaw

January 31, 2017

What is SMTP?

Simple Mail Transfer Protocol (SMTP) is the standard protocol used to transmit email messages between hosts. Chances are you depend on it working effectively more than you realize, whether you use web-based email applications or a desktop email client. This is one of those protocols that gets taken for granted until something goes wrong, and when that happens, the diagnosis and troubleshooting can be tough unless you've already got a solution in place for monitoring SMTP performance.

SMTP Requests

SMTP is a relatively simple plain-text protocol that relies on a set of standard commands to transmit messages from a mail client to a mail server. The core commands are the MAIL command, which specifies a return address; the RCPT command, which specifies a single recipient and can be called multiple times; and the DATA command, which contains the headers and actual message content. Additional commands exist for initiating an SMTP session, encrypting the connection, resetting a transaction without closing the connection, and ending the session.

SMTP Responses and Errors

For each command sent by the client, the server responds with a three digit code and relevant text indicating the result of the command or the status of the server. The first digit of the code indicates the severity of the reply:

  • 2xx: The request was completed successfully
  • 3xx: The request was accepted, but the server needs more information from the client
  • 4xx: The request was unsuccessful, but the client should try again
  • 5xx: A permanent error condition indicating that the requested action could not be completed

The second and third digits of the reply code give more specific details about the status of the request. Ideally, the most common response you would want to see in your network is 250, which tells the client that their request was ok and was successfully completed. However, errors are common with SMTP. Frequent causes of errors include mis-typed email addresses, a full recipient mailbox, or a lack of authentication or permissions. The same error message can also show up multiple times, since SMTP often attempts to resend failed messages.

With ExtraHop's ability to capture and analyze the SMTP traffic flowing through your network, you can dig deeper into details about who is using SMTP and how, as well as find problems in real time.

How ExtraHop Can Help

With ExtraHop, you can get more details about any SMTP errors in your network beyond just what the error code was and when it occurred. You can correlate errors with the client and server at each endpoint of the transaction, the sender's email address, and other relevant network conditions. The visibility that ExtraHop gives into your SMTP traffic can help you catch problems before users are affected and troubleshoot them more easily.

SMTP Dashboard

ExtraHop can show you the most active email senders and recipients, as well as details about size, type, and frequency of emails in your network.

For a real world example of how beneficial this visibility can be, check out this example of how ExtraHop saved Tyler Technologies time and money by allowing them to diagnose SMTP problems on their network. While ExtraHop has built-in SMTP support by default, there is also a free bundle available in the bundles gallery which adds additional metrics and consolidates those and other useful SMTP metrics on two dashboards.

Experience RevealX NDR for Yourself

Schedule a demo