[Snort-sigs] email spammer sigs?

Adrian Marsden amarsden at ...2045...
Tue Dec 2 13:12:02 EST 2003

My favorite little trick is really rather simple.

Firewall rules:-

Inbound SMTP, (port 25), is only allowed inbound to internal Mail
Servers - all other SMTP traffic is dropped at the firewall.

Outbound SMTP is only allowed out from internal Mail Servers - all other
traffic outbound is dropped and alerts sent immediately to admin.

Since most of the viruses have their own SMTP engines that attempt to
move mail directly to the intended recipients servers they do not pass
through the internal servers. Thus they make a lot of noise at the
firewall but are unable to propagate themselves to their victims. And I
know immediately that something got in and which machine it is on.

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...651...] 
Sent: Tuesday, December 02, 2003 3:58 PM
To: Snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] email spammer sigs?

On Wed, 2003-12-03 at 05:43, Matt Kettler wrote:
> At 04:01 PM 12/1/2003, Tony Hernandez wrote:
> >Any possible way to do a e-mail message count or a rule to catch
> >messages with long bcc: lists? We constantly have issues with spam
> >etc here on our 7,000+ node network and would be nice if someone
> >shed some light on any spammer rules they have come up with? We also
> >a mail server here and it would have to ignore messages bieng sent
> >there.. I also assume this can be done via a rule.

You will have as much luck finding viruses via snort too. Don't get me
wrong, the virus rules in Snort are OK - it's just that there are...
(goes and looks) *19* rules - and there are over 70,000 that most AV
scanners look for...

What you need to do (IMHO) is to policy route all Internet-bound TCP
port 25 traffic to your own mail server(s), upon which you virus/SPAM
scan. That way you catch it all.

There are several products to do this, some commercial, and OS ones like
Qmail-Scanner (ahem), MailScanner and amavis - all of which do both
virus and spam scanning.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

This SF.net email is sponsored by OSDN's Audience Survey.
Help shape OSDN's sites and tell us what you think. Take this
five minute survey and you could win a $250 Gift Certificate.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list