[Snort-users] Spamming

Erek Adams erek at ...577...
Wed Oct 3 07:24:02 EDT 2001

On Wed, 3 Oct 2001, Roger Bou Aoun wrote:

> Ca we stop spamming using snort??? If yes how can it be done, I know
> that commercial Intrusion Detection Systems, are able to do it, can it
> be done with the open Source software, or limit the number of sessions
> that each IP can use on a certain port

*sigh*  I hate this debate.  :-)

Some points in no real order:

1)  How do you determine spam?  You must look into the headers for some info.
That's ALL you should do.  If you go into the 'envlope' you are now 'filtering
based on content'.  That's a Bad Thing(tm) in the mailadmin world.

2)  Snort could reset the connections based on a rule.  Consider if you had a
rule that said if you see 'make money fast' on port 25, and your the
President/CEO sent an email to the whole company that said 'we need to make
money faster to stay in business'....  Kinda a Career Limiting Move to have
that connection whacked, wouldn't it?  :)

3)  Do 'opt-in' filtering on your SERVER.  Don't do it anywhere else.  That's
where the problem is, so fix it at that point.  Use some anti-spam/relay
setups for whatever SMTP server (Netscape, I think...) you're using.

Just my .02 worth...  I was a mailadmin in a previous life, so I'm still
touchy about these kinds of isssues.  :-)

Erek Adams

More information about the Snort-users mailing list