Snort mailing list archives
RE: Spamming
From: "Franki" <franki () gshop com au>
Date: Fri, 5 Oct 2001 02:53:38 +0800
yup, and postfix has many many ways of dealing with span as well... in fact it had better stats in a recent survey then sendmail or Qmail with regards to being spam relays... IE it was like .05% both sendmail and Qmail were higher... rgds Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ed Kasky Sent: Friday, 5 October 2001 2:34 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Spamming I have been watching this thread and have to agree with Jason on this one. Sendmail is well equipped to deal with spam from a number of different directions: http://www.sendmail.org/antispam.html One note- "If you're still running 8.8.x and can't upgrade for some reason, this page should help you. But the recommended way to deal with anti-relay problems is to upgrade to 8.9.3 or 8.10 ." At 02:06 PM 10/4/2001 -0400, Jason Robertson wrote:
This sounds more like something that would be better handled by the mail server. I know a server like Exim can handle this to a degree. Or with a router with ratelimiting(or linux with the ratelimiting patches), you just give him almost no access, as an example he can only send to the server at 2kbps, this would make spam nearly impossible. On 3 Oct 2001 at 21:39, Roger Bou Aoun wrote: From: "Roger Bou Aoun" <roger.bouaoun () dm net lb> To: "'Chris Keladis'" <Chris.Keladis () cmc cwo net au> Copies to: <snort-users () lists sourceforge net>, <erek () theadamsfamily net> Subject: RE: [Snort-users] Spamming Date sent: Wed, 3 Oct 2001 21:39:42 +0200Well you can use IDS to determine a Spam by the traffic generated by a certain IP I m speaking about Network Based IDS so you can put a limitation about the traffic generated by these IP'S. What I want is to control the number of sessions on port 25 SMTP to each host so I can have control on him, so in case he is spamming he will fail. I've tried several Anti Spam software I was Satisfied with Mail Shield, but it do not support this feature Regards ,,, /'^'\ ( o o ) oOOO--(_)--OOOo---------------------- Roger Bou Aoun Senior Security Specialist Data Management - Lebanon Internet Service Provide AL Ghazal Tower, 9TH Floor Tel: + 961 1 337 001 ext 202 Fax: + 961 1 218 889 Mobile: + 961 3 843 155 E-mail: roger.bouaoun () dm net lb security () dm net lb *************************** End of Message **************************** -----Original Message----- From: root () cmc cwo net au [mailto:root () cmc cwo net au] On Behalf Of Chris Keladis Sent: Wednesday, October 03, 2001 5:26 PM To: Erek Adams; Roger Bou Aoun Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Spamming Erek Adams wrote:On Wed, 3 Oct 2001, Roger Bou Aoun wrote:Ca we stop spamming using snort??? If yes how can it be done, I know that commercial Intrusion Detection Systems, are able to do it, canitbe done with the open Source software, or limit the number ofsessionsthat each IP can use on a certain portRoger, how do the commercial IDSs determine a "SPAM" mail? (keyword, header recognition?)Some points in no real order: 1) How do you determine spam? You must look into the headers forsome info.That's ALL you should do. If you go into the 'envlope' you are now'filteringbased on content'. That's a Bad Thing(tm) in the mailadmin world.Well i dont think parsing the envelope headers would be as much of a sin as parsing the letter headers. (After all, most every MTA needs to parse the envelope headers to deliver the mail). Even if you match on the envelope headers, SPAM could still get past since it could have correct envelope headers (say from a forward or a redirect), but be a spam internally in the letter headers, and i kind of agree with you, parsing the content (letter headers) is rather lame, especialy since letter headers are simply strings of the senders selection.Just my .02 worth... I was a mailadmin in a previous life, so I'mstilltouchy about these kinds of isssues. :-)Hehehe.. I hear you there :) If this feature was seriously needed then i'd say you would need a dedicated pre-processor, and even then you would have a hell of a time parsing out the Received: lines since i don't think they need to conform to any standard, apart from begin with Received: for each mail-hop. I really think this is a job more suited to a host-based-ids, to plough through the logs and raise alerts when the MTA (or front-end) sees SPAM. Perhaps this is what Roger meant?? On the topic of HIDS - Marty, any plans, or is this a FAQ? :) Regards, Chris.--- Jason Robertson Network Analyst jason () ifutureinc com http://www.astroadvice.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Spamming Roger Bou Aoun (Oct 03)
- Re: Spamming Erek Adams (Oct 03)
- Re: Spamming Chris Keladis (Oct 03)
- Re: Spamming Erek Adams (Oct 03)
- RE: Spamming Roger Bou Aoun (Oct 03)
- RE: Spamming Jason Robertson (Oct 04)
- RE: Spamming Ed Kasky (Oct 04)
- RE: Spamming Franki (Oct 04)
- Re: Spamming Chris Keladis (Oct 03)
- Re: Spamming Erek Adams (Oct 03)
- <Possible follow-ups>
- Re: Spamming D. J. Bernstein (Oct 05)
- Re: Spamming Jason Robertson (Oct 07)