[Snort-sigs] formmail redux

John Adams jadams at ...315...
Fri Jan 25 12:20:02 EST 2002


On Fri, 25 Jan 2002, Chris Green wrote:

> This message will set this alert off.  That said,
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"OUTGOING SPAM
>                     formmail"; content:"formmail"; nocase;)
> 
> They've gone to probing way more than I can reasonably handle but they
> always seem to be kind and include the url they are exploiting so they
> can have a list of open relays waiting in their inbox.

Was there a set signature published recently for inbound formmail
scanning? If so, what's it's ID, and where can I find it?

-j


-- 
John Adams         . Sr. Security Engineer . Inktomi Corporation






More information about the Snort-sigs mailing list