Re: detecting SMTP engine behaviour

[xyberpix <xyberpix () xyberpix com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you have any IDS kit then you should be able to write a custom  
signature to pick up any SMTP traffic not coming from your specified  
mail servers.
Another option would be to get your firewall to alert you when it  
see's any SMTP traffic coming from anything aside from the "real" hosts.

HTH

xyberpix

Blog: http://blogs.securiteam.com



On 1 May 2006, at 12:22, ahmad mubarak wrote:

> hi all
>
> as you know new viruses use SMTP Engine techniques to distrpute itself
> to other machines and email addresses they find  when scanning the
> hard drives and mapped drives.
>
> is there any way to detect the malformed SMTP traffic and the source
> address of machine host the worm or the SMTP engine since the worms
> use different sender account not related to the same source machine
> accounts.
>
> ---------------------------------------------------------------------- 
> ---
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un- 
> protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> obligation. See why so many companies trust Spy Sweeper Enterprise to
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> ---------------------------------------------------------------------- 
> ----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEWkUW2VKEoIQBZwkRAgE2AKCAst+BjU54Pkx95zv3b0d83NmItQCfazWD
/hZ1inGTC/wJ5ZKWQnNdRSI=
=8GZR
-----END PGP SIGNATURE-----