[Snort-users] Spamming

Ed Kasky ed at ...3483...
Thu Oct 4 11:34:03 EDT 2001


I have been watching this thread and have to agree with Jason on this 
one.  Sendmail is well equipped to deal with spam from a number of 
different directions:

http://www.sendmail.org/antispam.html

One note- "If you're still running 8.8.x and can't upgrade for some reason, 
this page should help you. But the recommended way to deal with anti-relay 
problems is to upgrade to 8.9.3 or 8.10 ."

At 02:06 PM 10/4/2001 -0400, Jason Robertson wrote:
>This sounds more like something that would be better handled by the mail 
>server.
>
>I know a server like Exim can handle this to a degree.  Or with a router 
>with ratelimiting(or linux
>with the ratelimiting patches), you just give him almost no access, as an 
>example he can only
>send to the server at 2kbps, this would make spam nearly impossible.
>
>On 3 Oct 2001 at 21:39, Roger Bou Aoun wrote:
>
>From:                   "Roger Bou Aoun" <roger.bouaoun at ...3680...>
>To:                     "'Chris Keladis'" <Chris.Keladis at ...2783...>
>Copies to:              <snort-users at lists.sourceforge.net>, 
><erek at ...577...>
>Subject:                RE: [Snort-users] Spamming
>Date sent:              Wed, 3 Oct 2001 21:39:42 +0200
>
> > Well you can use IDS to determine a Spam by the traffic generated by a
> > certain IP I m speaking about Network Based IDS so you can put a
> > limitation about the traffic generated by these IP'S.
> >
> > What I want is to control the number of sessions on port 25 SMTP to each
> > host so I can have control on him, so in case he is spamming he will
> > fail. I've tried several Anti Spam software I was Satisfied with Mail
> > Shield, but it do not support this feature
> >
> > Regards
> >
> >       ,,,
> >      /'^'\
> >     ( o o )
> > oOOO--(_)--OOOo----------------------
> >
> >      Roger Bou Aoun
> > Senior Security Specialist
> >
> > Data Management - Lebanon
> > Internet Service Provide
> > AL Ghazal Tower, 9TH Floor
> > Tel: + 961 1 337 001   ext 202
> > Fax: + 961 1 218 889                  Mobile: + 961 3 843 155
> >
> >                        E-mail: roger.bouaoun at ...3680...
> >                                security at ...3680...
> > *************************** End of Message ****************************
> >
> >
> >
> > -----Original Message-----
> > From: root at ...2783... [mailto:root at ...2783...] On Behalf Of
> > Chris Keladis
> > Sent: Wednesday, October 03, 2001 5:26 PM
> > To: Erek Adams; Roger Bou Aoun
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Spamming
> >
> > Erek Adams wrote:
> >
> > > On Wed, 3 Oct 2001, Roger Bou Aoun wrote:
> > >
> > > > Ca we stop spamming using snort??? If yes how can it be done, I know
> > > > that commercial Intrusion Detection Systems, are able to do it, can
> > it
> > > > be done with the open Source software, or limit the number of
> > sessions
> > > > that each IP can use on a certain port
> >
> > Roger, how do the commercial IDSs determine a "SPAM" mail? (keyword,
> > header recognition?)
> >
> >
> > > Some points in no real order:
> > >
> > > 1)  How do you determine spam?  You must look into the headers for
> > some info.
> > > That's ALL you should do.  If you go into the 'envlope' you are now
> > 'filtering
> > > based on content'.  That's a Bad Thing(tm) in the mailadmin world.
> >
> > Well i dont think parsing the envelope headers would be as much of a sin
> > as parsing the letter headers. (After all, most every MTA needs to parse
> > the envelope headers to deliver the mail).
> >
> > Even if you match on the envelope headers, SPAM could still get past
> > since it could have correct envelope headers (say from a forward or a
> > redirect), but be a spam internally in the letter headers, and i kind of
> > agree with you, parsing the content (letter headers) is rather lame,
> > especialy since letter headers are simply strings of the senders
> > selection.
> >
> >
> > > Just my .02 worth...  I was a mailadmin in a previous life, so I'm
> > still
> > > touchy about these kinds of isssues.  :-)
> >
> > Hehehe.. I hear you there :)
> >
> > If this feature was seriously needed then i'd say you would need a
> > dedicated pre-processor, and even then you would have a hell of a time
> > parsing out the Received: lines since i don't think they need to conform
> > to any standard,  apart from begin with Received: for each mail-hop.
> >
> > I really think this is a job more suited to a host-based-ids, to plough
> > through the logs and raise alerts when the MTA (or front-end) sees SPAM.
> >
> > Perhaps this is what Roger meant??
> >
> >
> > On the topic of HIDS - Marty, any plans, or is this a FAQ? :)
> >
> >
> >
> >
> >
> > Regards,
> >
> > Chris.
> >
> >
> >
>
>
>---
>Jason Robertson
>Network Analyst
>jason at ...734...
>http://www.astroadvice.com
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list