OT: Snort rules triggered by spammers
cobalt-users1 at fishnet.co.uk
Wed Oct 15 15:06:25 IST 2008
Apologies for the Off Topic but this list is usually tolerant of such things when they vaguely
resemble the fight against spam :)
I run a simple firewall in front of our servers that has snort installed. I try to analyse the
results as often as possible and look into false positives etc.
I recently noticed that what I thought was a long running false positive was actually directly
related to possible spam delivery attempts on one mail server.
Basically there are a two rules available on the Bleeding Edge Threats website:
which are supposed to trigger against NMAP Syn Stealth Scans ( ie the -sS option with
the optional -f to cause fragmentation). These rules have been hitting a lot but only ever
indicates a scan against port 25 of the one mail server I have running there, so I just
assumed it was another false positive.
When checking these IPs against the maillog today I got the following results:
155 unique IPs in list
13 do not appear in maillog
142 appear and are rejected for various reasons including:
mailbox not found
did not issue MAIL/EXPN/VRFY/ETRN
The were 0 successful deliveries to the mail server at all from these IPs.
Unfortunately I deleted a load of these alerts this morning, it usually goes up to a few
thousand unique IPs a day.
Could I be on to something?
Is anyone else running snort in front of a mail server who could check this?
More information about the MailScanner