[Snort-sigs] email spammer sigs?

Matt Kettler mkettler at ...189...
Tue Dec 2 08:43:01 EST 2003


At 04:01 PM 12/1/2003, Tony Hernandez wrote:
>Any possible way to do a e-mail message count or a rule to catch email 
>messages with long bcc: lists? We constantly have issues with spam trojans 
>etc here on our 7,000+ node network and would be nice if someone could 
>shed some light on any spammer rules they have come up with? We also have 
>a mail server here and it would have to ignore messages bieng sent from 
>there.. I also assume this can be done via a rule.

This would be fairly complicated to do with snort rules, and likely to lots 
of FPs...

Might I suggest looking at www.spamassassin.org, or one of the bayes 
filters out there? They're purpose designed for this kind of thing.





More information about the Snort-sigs mailing list