If you are attempting to identify spammers at large snort is definitely
not the tool. If you have internal users spamming snort could help. 5
mails a minute, 2 mails a minute...
People don't usually send more than 1 mail a minute.
If you are attempting to solve the spammers at large problem you should
google spamassassin as it is far better suited to the problem.
lokesh.khanna@accelonafrica.com wrote:
Thanks. But is there any other way. If Spammer sends less than 10 mail
in 60 sec, then snort will not be able to capture that.
Is there any way to generate Alert based on content in Mail, or header
of mail?
Cordially,
Lokesh
-----Original Message-----
From: Jason [mailto:security@brvenik.com]
Sent: 30 March 2005 06:59
To: Lokesh Khanna
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Capture Spam mail traffic using snort
if those systems are in your network you could try a threshold rule
alert tcp !$SMTP_SERVERS any -> any 25 (msg"possible spammer";
content:"rcpt to\:"; nocase; flow:to_server, established; threshold:type
both, track by_src, count 10, seconds 60; sid:1000000; rev:1;)
That rule should alert on any system that sends 10 mails in 60 seconds
except those defined as SMTP_SERVERS.
lokesh.khanna@accelonafrica.com wrote:
Hi
I am using snort on Redhat box.
Is it possible to capture IP addresses using snort which are sending
Spam mails. If yes, how can I get signature?
Cordially,
Lokesh
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
