ed at ...3483...
Thu Oct 4 11:34:03 EDT 2001
I have been watching this thread and have to agree with Jason on this
one. Sendmail is well equipped to deal with spam from a number of
One note- "If you're still running 8.8.x and can't upgrade for some reason,
this page should help you. But the recommended way to deal with anti-relay
problems is to upgrade to 8.9.3 or 8.10 ."
At 02:06 PM 10/4/2001 -0400, Jason Robertson wrote:
>This sounds more like something that would be better handled by the mail
>I know a server like Exim can handle this to a degree. Or with a router
>with ratelimiting(or linux
>with the ratelimiting patches), you just give him almost no access, as an
>example he can only
>send to the server at 2kbps, this would make spam nearly impossible.
>On 3 Oct 2001 at 21:39, Roger Bou Aoun wrote:
>From: "Roger Bou Aoun" <roger.bouaoun at ...3680...>
>To: "'Chris Keladis'" <Chris.Keladis at ...2783...>
>Copies to: <snort-users at lists.sourceforge.net>,
><erek at ...577...>
>Subject: RE: [Snort-users] Spamming
>Date sent: Wed, 3 Oct 2001 21:39:42 +0200
> > Well you can use IDS to determine a Spam by the traffic generated by a
> > certain IP I m speaking about Network Based IDS so you can put a
> > limitation about the traffic generated by these IP'S.
> > What I want is to control the number of sessions on port 25 SMTP to each
> > host so I can have control on him, so in case he is spamming he will
> > fail. I've tried several Anti Spam software I was Satisfied with Mail
> > Shield, but it do not support this feature
> > Regards
> > ,,,
> > /'^'\
> > ( o o )
> > oOOO--(_)--OOOo----------------------
> > Roger Bou Aoun
> > Senior Security Specialist
> > Data Management - Lebanon
> > Internet Service Provide
> > AL Ghazal Tower, 9TH Floor
> > Tel: + 961 1 337 001 ext 202
> > Fax: + 961 1 218 889 Mobile: + 961 3 843 155
> > E-mail: roger.bouaoun at ...3680...
> > security at ...3680...
> > *************************** End of Message ****************************
> > -----Original Message-----
> > From: root at ...2783... [mailto:root at ...2783...] On Behalf Of
> > Chris Keladis
> > Sent: Wednesday, October 03, 2001 5:26 PM
> > To: Erek Adams; Roger Bou Aoun
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Spamming
> > Erek Adams wrote:
> > > On Wed, 3 Oct 2001, Roger Bou Aoun wrote:
> > >
> > > > Ca we stop spamming using snort??? If yes how can it be done, I know
> > > > that commercial Intrusion Detection Systems, are able to do it, can
> > it
> > > > be done with the open Source software, or limit the number of
> > sessions
> > > > that each IP can use on a certain port
> > Roger, how do the commercial IDSs determine a "SPAM" mail? (keyword,
> > header recognition?)
> > > Some points in no real order:
> > >
> > > 1) How do you determine spam? You must look into the headers for
> > some info.
> > > That's ALL you should do. If you go into the 'envlope' you are now
> > 'filtering
> > > based on content'. That's a Bad Thing(tm) in the mailadmin world.
> > Well i dont think parsing the envelope headers would be as much of a sin
> > as parsing the letter headers. (After all, most every MTA needs to parse
> > the envelope headers to deliver the mail).
> > Even if you match on the envelope headers, SPAM could still get past
> > since it could have correct envelope headers (say from a forward or a
> > redirect), but be a spam internally in the letter headers, and i kind of
> > agree with you, parsing the content (letter headers) is rather lame,
> > especialy since letter headers are simply strings of the senders
> > selection.
> > > Just my .02 worth... I was a mailadmin in a previous life, so I'm
> > still
> > > touchy about these kinds of isssues. :-)
> > Hehehe.. I hear you there :)
> > If this feature was seriously needed then i'd say you would need a
> > dedicated pre-processor, and even then you would have a hell of a time
> > parsing out the Received: lines since i don't think they need to conform
> > to any standard, apart from begin with Received: for each mail-hop.
> > I really think this is a job more suited to a host-based-ids, to plough
> > through the logs and raise alerts when the MTA (or front-end) sees SPAM.
> > Perhaps this is what Roger meant??
> > On the topic of HIDS - Marty, any plans, or is this a FAQ? :)
> > Regards,
> > Chris.
>jason at ...734...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users