[Snort-users] Spamming

Jason Robertson jason at ...3161...
Thu Oct 4 11:07:02 EDT 2001


This sounds more like something that would be better handled by the mail server.

I know a server like Exim can handle this to a degree.  Or with a router with ratelimiting(or linux 
with the ratelimiting patches), you just give him almost no access, as an example he can only 
send to the server at 2kbps, this would make spam nearly impossible.

On 3 Oct 2001 at 21:39, Roger Bou Aoun wrote:

From:           	"Roger Bou Aoun" <roger.bouaoun at ...3680...>
To:             	"'Chris Keladis'" <Chris.Keladis at ...2783...>
Copies to:      	<snort-users at lists.sourceforge.net>, <erek at ...577...>
Subject:        	RE: [Snort-users] Spamming
Date sent:      	Wed, 3 Oct 2001 21:39:42 +0200

> Well you can use IDS to determine a Spam by the traffic generated by a
> certain IP I m speaking about Network Based IDS so you can put a
> limitation about the traffic generated by these IP'S. 
> 
> What I want is to control the number of sessions on port 25 SMTP to each
> host so I can have control on him, so in case he is spamming he will
> fail. I've tried several Anti Spam software I was Satisfied with Mail
> Shield, but it do not support this feature 
> 
> Regards
> 
>       ,,,
>      /'^'\
>     ( o o )
> oOOO--(_)--OOOo----------------------
>  
>      Roger Bou Aoun
> Senior Security Specialist 
>  
> Data Management - Lebanon
> Internet Service Provide
> AL Ghazal Tower, 9TH Floor                
> Tel: + 961 1 337 001   ext 202 
> Fax: + 961 1 218 889                  Mobile: + 961 3 843 155
>  
>                        E-mail: roger.bouaoun at ...3680... 
>                                security at ...3680... 
> *************************** End of Message ****************************
>  
>  
> 
> -----Original Message-----
> From: root at ...2783... [mailto:root at ...2783...] On Behalf Of
> Chris Keladis
> Sent: Wednesday, October 03, 2001 5:26 PM
> To: Erek Adams; Roger Bou Aoun
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Spamming
> 
> Erek Adams wrote:
>  
> > On Wed, 3 Oct 2001, Roger Bou Aoun wrote:
> > 
> > > Ca we stop spamming using snort??? If yes how can it be done, I know
> > > that commercial Intrusion Detection Systems, are able to do it, can
> it
> > > be done with the open Source software, or limit the number of
> sessions
> > > that each IP can use on a certain port
> 
> Roger, how do the commercial IDSs determine a "SPAM" mail? (keyword,
> header recognition?)
> 
>  
> > Some points in no real order:
> > 
> > 1)  How do you determine spam?  You must look into the headers for
> some info.
> > That's ALL you should do.  If you go into the 'envlope' you are now
> 'filtering
> > based on content'.  That's a Bad Thing(tm) in the mailadmin world.
> 
> Well i dont think parsing the envelope headers would be as much of a sin
> as parsing the letter headers. (After all, most every MTA needs to parse
> the envelope headers to deliver the mail).
> 
> Even if you match on the envelope headers, SPAM could still get past
> since it could have correct envelope headers (say from a forward or a
> redirect), but be a spam internally in the letter headers, and i kind of
> agree with you, parsing the content (letter headers) is rather lame,
> especialy since letter headers are simply strings of the senders
> selection.
>  
> 
> > Just my .02 worth...  I was a mailadmin in a previous life, so I'm
> still
> > touchy about these kinds of isssues.  :-)
> 
> Hehehe.. I hear you there :)
> 
> If this feature was seriously needed then i'd say you would need a
> dedicated pre-processor, and even then you would have a hell of a time
> parsing out the Received: lines since i don't think they need to conform
> to any standard,  apart from begin with Received: for each mail-hop.
> 
> I really think this is a job more suited to a host-based-ids, to plough
> through the logs and raise alerts when the MTA (or front-end) sees SPAM.
> 
> Perhaps this is what Roger meant??
> 
> 
> On the topic of HIDS - Marty, any plans, or is this a FAQ? :)
> 
> 
> 
> 
> 
> Regards,
> 
> Chris.
> 
> 
> 


---
Jason Robertson                
Network Analyst            
jason at ...734...    
http://www.astroadvice.com      





More information about the Snort-users mailing list