[Snort-sigs] formmail redux
jadams at ...315...
Fri Jan 25 12:20:02 EST 2002
On Fri, 25 Jan 2002, Chris Green wrote:
> This message will set this alert off. That said,
> alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"OUTGOING SPAM
> formmail"; content:"formmail"; nocase;)
> They've gone to probing way more than I can reasonably handle but they
> always seem to be kind and include the url they are exploiting so they
> can have a list of open relays waiting in their inbox.
Was there a set signature published recently for inbound formmail
scanning? If so, what's it's ID, and where can I find it?
John Adams . Sr. Security Engineer . Inktomi Corporation
More information about the Snort-sigs