[Snort-users] Spamming

Erek Adams erek at ...577...
Wed Oct 3 08:33:03 EDT 2001

On Thu, 4 Oct 2001, Chris Keladis wrote:


> Well i dont think parsing the envelope headers would be as much of a sin
> as parsing the letter headers. (After all, most every MTA needs to parse
> the envelope headers to deliver the mail).
> Even if you match on the envelope headers, SPAM could still get past
> since it could have correct envelope headers (say from a forward or a
> redirect), but be a spam internally in the letter headers, and i kind of
> agree with you, parsing the content (letter headers) is rather lame,
> especialy since letter headers are simply strings of the senders
> selection.

*sigh*  I need to remember to have _more_ coffee before doing email in the
morning.  *grrr*  I meant to say 'body' and not envlpe.  Oh well, I'll just
put on another pot.

> Hehehe.. I hear you there :)

 Mailadmins are a testy breed...  ;-)

> If this feature was seriously needed then i'd say you would need a
> dedicated pre-processor, and even then you would have a hell of a time
> parsing out the Received: lines since i don't think they need to conform
> to any standard,  apart from begin with Received: for each mail-hop.

Yes, a mail-gateway would be the perfect thing.  All incoming mail drops into
a queue, then you do whatever you want to it, then send it out the backend to
your real mailstore.


Erek Adams

More information about the Snort-users mailing list