[Snort-users] Capture Spam mail traffic using snort

Jason security at ...5028...
Tue Mar 29 22:26:41 EST 2005


If you are attempting to identify spammers at large snort is definitely 
not the tool. If you have internal users spamming snort could help. 5 
mails a minute, 2 mails a minute...

People don't usually send more than 1 mail a minute.

If you are attempting to solve the spammers at large problem you should 
google spamassassin as it is far better suited to the problem.

lokesh.khanna at ...13040... wrote:
> Thanks. But is there any other way. If Spammer sends less than 10 mail
> in 60 sec, then snort will not be able to capture that.
> Is there any way to generate Alert based on content in Mail, or header
> of mail?
> 
> Cordially,
> Lokesh
> 
> -----Original Message-----
> From: Jason [mailto:security at ...5028...] 
> Sent: 30 March 2005 06:59
> To: Lokesh Khanna
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Capture Spam mail traffic using snort
> 
> if those systems are in your network you could try a threshold rule
> 
> 
> alert tcp !$SMTP_SERVERS any -> any 25 (msg"possible spammer"; 
> content:"rcpt to\:"; nocase; flow:to_server, established; threshold:type
> 
> both, track by_src, count 10, seconds 60; sid:1000000; rev:1;)
> 
> That rule should alert on any system that sends 10 mails in 60 seconds 
> except those defined as SMTP_SERVERS.
> 
> lokesh.khanna at ...13040... wrote:
> 
>>
>>Hi
>>
>>I am using snort on Redhat box.
>>
>>Is it possible to capture IP addresses using snort which are sending 
>>Spam mails. If yes, how can I get signature?
>>
>> 
>>
>>Cordially,
>>
>>Lokesh
>>
> 
> 
> 




More information about the Snort-users mailing list