[Snort-sigs] email spammer sigs?

Jason Haar Jason.Haar at ...651...
Tue Dec 2 12:58:01 EST 2003

On Wed, 2003-12-03 at 05:43, Matt Kettler wrote:
> At 04:01 PM 12/1/2003, Tony Hernandez wrote:
> >Any possible way to do a e-mail message count or a rule to catch email 
> >messages with long bcc: lists? We constantly have issues with spam trojans 
> >etc here on our 7,000+ node network and would be nice if someone could 
> >shed some light on any spammer rules they have come up with? We also have 
> >a mail server here and it would have to ignore messages bieng sent from 
> >there.. I also assume this can be done via a rule.

You will have as much luck finding viruses via snort too. Don't get me
wrong, the virus rules in Snort are OK - it's just that there are...
(goes and looks) *19* rules - and there are over 70,000 that most AV
scanners look for...

What you need to do (IMHO) is to policy route all Internet-bound TCP
port 25 traffic to your own mail server(s), upon which you virus/SPAM
scan. That way you catch it all.

There are several products to do this, some commercial, and OS ones like
Qmail-Scanner (ahem), MailScanner and amavis - all of which do both
virus and spam scanning.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list