OT: Finding Spam Trojans on your network (was Re: [Snort-sigs] email spammer sigs?)

Brian Eckman eckman at ...2044...
Tue Dec 2 09:40:02 EST 2003

Raj Wurttemberg wrote:
>>Might I suggest looking at www.spamassassin.org, or one of the bayes 
>>filters out there? They're purpose designed for this kind of thing.
> Agreed... I just configured SpamAssassin on my RH9 system in just a matter
> of minutes. It's simple and it WORKS. Some interesting info on
> http://news.spamassassin.org/ is that SpamAssassin was rated better than the
> below packages:
> - Clearswift MAILSweeper 
> - GFI MailEssentials 
> - Red Earth Policy Patrol Enterprise 
> - SurfControl Email filter 
> - Symantec AntiVirus Gateway (with SpamFilter) 
> I guess I will not be renewing my license for MAILSweeper next year. :)
> /*Raj*/

(original message copied below because it is relavant to my response)

Tony Hernandez wrote:
 > Any possible way to do a e-mail message count or a rule to catch email
 > messages with long bcc: lists? We constantly have issues with spam
 > trojans etc here on our 7,000+ node network and would be nice if
 > someone could shed some light on any spammer rules they have come up
 > with? We also have a mail server here and it would have to ignore
 > messages bieng sent from there.. I also assume this can be done via a
 > rule.

I think what he is looking for is a way to catch spam trojans on his 
network sending out spam. This is a big problem in EDUs and perhaps in 
your environments too.

We don't catch these in Snort (thus why I labelled this post "OT"). We 
manually run tcpdump once an hour or so and have us tell us who is 
sending out quantities of SMTP traffic. I can tell by looking at it who 
is legit and who is not (it took a little while to get there, but not as 
long as you'd think). I ignore the known mail servers, and investigate 
all others. A co-worker and I made a couple of different scripts to help 
us out.

One file (find_smtp): (change IP src nets to your own)

foreach i ( `tcpdump -n -i wm1 -c 10000 '( src net 999.999.0.0/16 or src 
net 999.998.0.0/16 or src net 999.997.0.0/16 ) and tcp and port 25' | 
awk '{ print $2 }' | cut -d '.' -f '1-4' | sort -r | uniq -c | sort -nr 
| awk '{ if ( $1 > 40 ) print $2 }'` )
echo $i

exit 0
(Basically, grab 10,000 25/tcp packets that come from my network, and 
tell me who has sent more than 40. Adjust this based on the size of your 
network. If it takes 20 minutes for 10,000 25/tcp packets to cross your 
border, reduce the numbers!)

Then, actually run this file every so often: (change /path/to/)

foreach file ( `/path/to/find_smtp | sort` )

echo -n $file " " ; host $file | awk '{ print $5 }'
exit 0
(Basically, run the find_smtp script listed, and lookup the DNS entries 
for the IP addresses listed and print them out along with the IP 
addresses. Very helpful in our environment to determine at a glance 
whether it is a "known" mail server or not. Print out the time it was 
run at the end, as I might not get to looking at it right away.)

Hopefully this helps. You can certainly play with it, have it run via 
cron, compare results against a known good list, email the variants to 
you, etc. I intend to get fancy with it when I can make the time.


Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the Snort-sigs mailing list