Snort mailing list archives
Re: Spamming
From: Chris Keladis <Chris.Keladis () cmc cwo net au>
Date: Thu, 04 Oct 2001 01:26:08 +1000
Erek Adams wrote:
On Wed, 3 Oct 2001, Roger Bou Aoun wrote:Ca we stop spamming using snort??? If yes how can it be done, I know that commercial Intrusion Detection Systems, are able to do it, can it be done with the open Source software, or limit the number of sessions that each IP can use on a certain port
Roger, how do the commercial IDSs determine a "SPAM" mail? (keyword, header recognition?)
Some points in no real order: 1) How do you determine spam? You must look into the headers for some info. That's ALL you should do. If you go into the 'envlope' you are now 'filtering based on content'. That's a Bad Thing(tm) in the mailadmin world.
Well i dont think parsing the envelope headers would be as much of a sin as parsing the letter headers. (After all, most every MTA needs to parse the envelope headers to deliver the mail). Even if you match on the envelope headers, SPAM could still get past since it could have correct envelope headers (say from a forward or a redirect), but be a spam internally in the letter headers, and i kind of agree with you, parsing the content (letter headers) is rather lame, especialy since letter headers are simply strings of the senders selection.
Just my .02 worth... I was a mailadmin in a previous life, so I'm still touchy about these kinds of isssues. :-)
Hehehe.. I hear you there :) If this feature was seriously needed then i'd say you would need a dedicated pre-processor, and even then you would have a hell of a time parsing out the Received: lines since i don't think they need to conform to any standard, apart from begin with Received: for each mail-hop. I really think this is a job more suited to a host-based-ids, to plough through the logs and raise alerts when the MTA (or front-end) sees SPAM. Perhaps this is what Roger meant?? On the topic of HIDS - Marty, any plans, or is this a FAQ? :) Regards, Chris. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Spamming Roger Bou Aoun (Oct 03)
- Re: Spamming Erek Adams (Oct 03)
- Re: Spamming Chris Keladis (Oct 03)
- Re: Spamming Erek Adams (Oct 03)
- RE: Spamming Roger Bou Aoun (Oct 03)
- RE: Spamming Jason Robertson (Oct 04)
- RE: Spamming Ed Kasky (Oct 04)
- RE: Spamming Franki (Oct 04)
- Re: Spamming Chris Keladis (Oct 03)
- Re: Spamming Erek Adams (Oct 03)
- <Possible follow-ups>
- Re: Spamming D. J. Bernstein (Oct 05)
- Re: Spamming Jason Robertson (Oct 07)