OT: Snort rules triggered by spammers

Ian cobalt-users1 at fishnet.co.uk
Wed Oct 15 15:06:25 IST 2008


Apologies for the Off Topic but this list is usually tolerant of such things when they vaguely 
resemble the fight against spam :)

I run a simple firewall in front of our servers that has snort installed.  I try to analyse the 
results as often as possible and look into false positives etc.

I recently noticed that what I thought was a long running false positive was actually directly 
related to possible spam delivery attempts on one mail server.

Basically there are a two rules available on the Bleeding Edge Threats website:


which are supposed to trigger against NMAP Syn Stealth Scans ( ie the -sS option with 
the optional -f to cause fragmentation).  These rules have been hitting a lot but only ever 
indicates a scan against port 25 of the one mail server I have running there, so I just 
assumed it was another false positive.

When checking these IPs against the maillog today I got the following results:

155 unique IPs in list		

13 do not appear in maillog
142 appear and are rejected for various reasons including:

	relay attempt
	greet pause
	mailbox not found
	did not issue MAIL/EXPN/VRFY/ETRN

The were 0 successful deliveries to the mail server at all from these IPs.

Unfortunately I deleted a load of these alerts this morning, it usually goes up to a few 
thousand unique IPs a day.

Could I be on to something?
Is anyone else running snort in front of a mail server who could check this?



More information about the MailScanner mailing list