[Snort-sigs] Yahoo mail updates

Matthew Jonkman matt at ...2436...
Thu Jul 1 16:09:05 EDT 2004

I agree with you on prevention. It's always the best bet.

These signatures come in handy in a lot of places though. Especially for 
an organization like mine, where we watch a lot of small and large nets, 
all with different policies and permissible practices, all with 
different levels of technical competence, all with different levels of 
risk, and many falling under several different federal regs.

I have some clients that allow webmail, but want to know when it's being 
abused. So if we get say 100 yahoo mail sends from one person a day 
we'll let the client know. Or for organizations where they haven't the 
technology to block url's, or the willingness to do so, we watch it for 
any use at all and they can counsel employees.

But the main reason we spent the time writing these is for historical 
purposes. Say a company starts to suspect an employee is harassing 
someone via webmail, or maybe releasing internal info to the press 
anonymously. They can have us go back as far as we have ids data and 
tell them exactly what this person has sent out via yahoo, Hotmail, etc. 
And often we can alleviate or confirm their fears without having to have 
any kind of ugly confrontation with the employee based on hearsay.

We had one incident not too long ago where we took a users entire log of 
chat messages for 6 months where they discussed an entire crime 
(stealing internal information to create their own firm) to a deposition 
and forced a settlement. No trial, very reduced legal fees. No bad 
press. It'd be doubtful you could get those logs into court (ie proving 
what workstation they came from, who was on at the time, etc), but just 
having that much information is enough to avoid the whole thing. They 
knew they were had, and couldn't utter another word of denial.

So it's not always as black and white as allowing or not allowing chat 
or webmail, etc.

IDS is a great tool, it's not just for security anymore. :)


Adrian Marsden wrote:

> If you block http://login.yahoo.com/ with a web filter then these rules are unnecessary. They can't get there in the first place. I know that in all environments this isn't feasible but where it is it is easier than chasing after the offender after they infect a network with something.
> Matt: As a note... I'm not picking on you.... You are doing good work.... I just prefer using technology to prevent things if it is acceptable in the environment. I know I spent ages trying to stop people from getting to personal email before I found the "key" places to block. I'm putting this in there for the benefit of those who might think that because the IP's of the big mail providers mail servers change so often and spread a range that would be unacceptable to block that they think they can't. I have learned to look for the "choke points" - those places that the user _must_ go through and don't change their FQDN.

More information about the Snort-sigs mailing list