OT: Finding Spam Trojans on your network (was Re: [Snort-sigs] email spammer sigs?)

Tony Hernandez tonyh at ...1915...
Tue Dec 2 11:01:01 EST 2003


Yes, you are correct. I do want to catch the trojans - as it is what is casuing the headaches at the moment. And I do work at an edu. University of Florida Division of Housing, you may have heard of us because of our ICARUS project. It has been in the spotlight and slashdotted a bit =). I wonder if those scripts that you wrote can be inserted into a mysql database fairly easily.. I'm gonna have a go at those scripts and test them out here see if I can tune them up for our network.


Thanks guys for the pointers.




-----Original Message-----
From: Brian Eckman [mailto:eckman at ...2044...]
Sent: Tuesday, December 02, 2003 12:40 PM
To: Snort-sigs at lists.sourceforge.net
Subject: OT: Finding Spam Trojans on your network (was Re: [Snort-sigs]
email spammer sigs?)



Raj Wurttemberg wrote:
>>Might I suggest looking at www.spamassassin.org, or one of the bayes 
>>filters out there? They're purpose designed for this kind of thing.
> 
> 
> Agreed... I just configured SpamAssassin on my RH9 system in just a matter
> of minutes. It's simple and it WORKS. Some interesting info on
> http://news.spamassassin.org/ is that SpamAssassin was rated better than the
> below packages:
> 
> - Clearswift MAILSweeper 
> - GFI MailEssentials 
> - Red Earth Policy Patrol Enterprise 
> - SurfControl Email filter 
> - Symantec AntiVirus Gateway (with SpamFilter) 
> 
> I guess I will not be renewing my license for MAILSweeper next year. :)
> 
> /*Raj*/

(original message copied below because it is relavant to my response)

Tony Hernandez wrote:
 > Any possible way to do a e-mail message count or a rule to catch email
 > messages with long bcc: lists? We constantly have issues with spam
 > trojans etc here on our 7,000+ node network and would be nice if
 > someone could shed some light on any spammer rules they have come up
 > with? We also have a mail server here and it would have to ignore
 > messages bieng sent from there.. I also assume this can be done via a
 > rule.


I think what he is looking for is a way to catch spam trojans on his 
network sending out spam. This is a big problem in EDUs and perhaps in 
your environments too.

We don't catch these in Snort (thus why I labelled this post "OT"). We 
manually run tcpdump once an hour or so and have us tell us who is 
sending out quantities of SMTP traffic. I can tell by looking at it who 
is legit and who is not (it took a little while to get there, but not as 
long as you'd think). I ignore the known mail servers, and investigate 
all others. A co-worker and I made a couple of different scripts to help 
us out.

One file (find_smtp): (change IP src nets to your own)
------------------------------------------------------------------------
#!/usr/pkg/bin/tcsh

foreach i ( `tcpdump -n -i wm1 -c 10000 '( src net 999.999.0.0/16 or src 
net 999.998.0.0/16 or src net 999.997.0.0/16 ) and tcp and port 25' | 
awk '{ print $2 }' | cut -d '.' -f '1-4' | sort -r | uniq -c | sort -nr 
| awk '{ if ( $1 > 40 ) print $2 }'` )
echo $i
end

exit 0
------------------------------------------------------------------------
(Basically, grab 10,000 25/tcp packets that come from my network, and 
tell me who has sent more than 40. Adjust this based on the size of your 
network. If it takes 20 minutes for 10,000 25/tcp packets to cross your 
border, reduce the numbers!)

Then, actually run this file every so often: (change /path/to/)
------------------------------------------------------------------------
#!/usr/pkg/bin/tcsh


foreach file ( `/path/to/find_smtp | sort` )

echo -n $file " " ; host $file | awk '{ print $5 }'
end
date
exit 0
------------------------------------------------------------------------
(Basically, run the find_smtp script listed, and lookup the DNS entries 
for the IP addresses listed and print them out along with the IP 
addresses. Very helpful in our environment to determine at a glance 
whether it is a "known" mail server or not. Print out the time it was 
run at the end, as I might not get to looking at it right away.)

Hopefully this helps. You can certainly play with it, have it run via 
cron, compare results against a known good list, email the variants to 
you, etc. I intend to get fancy with it when I can make the time.

Brian

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."



-------------------------------------------------------
This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
http://www.wrgsurveys.com/2003/osdntech03.php?site=8

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list