OT: Snort rules triggered by spammers

[Ian]

Hi,

Apologies for the Off Topic but this list is usually tolerant of such things when they vaguely 
resemble the fight against spam :)


I run a simple firewall in front of our servers that has snort installed.  I try to analyse the 
results as often as possible and look into false positives etc.

I recently noticed that what I thought was a long running false positive was actually directly 
related to possible spam delivery attempts on one mail server.

Basically there are a two rules available on the Bleeding Edge Threats website:

	http://www.bleedingthreats.net/bleeding-scan.rules

which are supposed to trigger against NMAP Syn Stealth Scans ( ie the -sS option with 
the optional -f to cause fragmentation).  These rules have been hitting a lot but only ever 
indicates a scan against port 25 of the one mail server I have running there, so I just 
assumed it was another false positive.

When checking these IPs against the maillog today I got the following results:

155 unique IPs in list		

13 do not appear in maillog
142 appear and are rejected for various reasons including:

	relay attempt
	spamcop
	spamhaus
	greet pause
	mailbox not found
	did not issue MAIL/EXPN/VRFY/ETRN

The were 0 successful deliveries to the mail server at all from these IPs.

Unfortunately I deleted a load of these alerts this morning, it usually goes up to a few 
thousand unique IPs a day.


Could I be on to something?
Is anyone else running snort in front of a mail server who could check this?

Regards

Ian
--