[Snort-sigs] email spammer sigs?

James Riden j.riden at ...1766...
Tue Dec 2 11:21:01 EST 2003


"Tony Hernandez" <tonyh at ...1915...> writes:

> Any possible way to do a e-mail message count or a rule to catch email messages with long bcc: lists? We constantly have issues with spam trojans etc here on our 7,000+ node network and would be nice if someone could shed some light on any spammer rules they have come up with? We also have a mail server here and it would have to ignore messages bieng sent from there.. I also assume this can be done via a rule.
>
> Any help is greatly appreciated.

I'm piping portscan.log through a perl script a bit like the one that
follows - it counts dst port 25 hits for each source IP address
appearing. This catches at least some mass mailing viruses. You can do
the same for ports 135-139, for things like MSBlaster.

#!/bin/perl
while ($line=<STDIN>) {

    ($mnth,$dt,$time,$ip,$ar,$dst,$etc) = split (m/ +/,$line);

    ($ip,$port)=split(m/:/,$ip);
    ($dstip,$dstp)=split(m/:/,$dst);

    if ($dstp==25)
    {
    #check for your mailserver(s) here, or put it in portscan ignore hosts
        $att{$ip}++;
    }
}

foreach $k (keys %att) {
    print "$k,\"$att{$k} hits on 25/tcp\"\r\n";
}

Otherwise, tools like 'rate' might be able to pick out the top n SMTP
senders. (I'm using rate to track ICMP traffic from Welchia at the
moment.)

Getting off-topic for snort-sigs I think...
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Programmer - Security
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-sigs mailing list