[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] IP address on Spamhaus (Spam BlackList)
From: juanma () ossim ! net (Juan Manuel Lorenzo)
Date: 2009-05-19 14:36:42
Message-ID: bc8fdf040905190736q446ed69ao81d72188aa7d7b4 () mail ! gmail ! com
[Download RAW message or body]
This rule is beeing quite usefull for us in some environments, when one
machine has been infected by any malware and it starts sending spam, in just
a few minutes we see that the ip adress has been blocked in spamhaus.
Juan Manuel Lorenzo
On Mon, May 4, 2009 at 4:55 PM, Jaime Blasco <jaime.blasco at alienvault.com>wrote:
> Hi!
>
> I've been analyzing some spam traffic, related to snort's rule:
> policy.rules:alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY
> SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1";
> depth:70; reference:arachnids,249; reference:url,
> mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)
>
> we could write a rule to detect smtp responses like this:
> 553 Mail from *.*.* not allowed - 5.7.1 [BL23] Connections not accepted
> from IP addresses on Spamhaus XBL; see
> http://postmaster.yahoo.com/550-bl23.html [550]
>
> alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET POLICY IP address
> BlackListed (Spamhaus)"; flow:established,from_server; content:"553 Mail
> from"; content:"Spamhaus XBL"; classtype:misc-activity; sid:; rev:1;)
>
> Regards
>
> --
> _______________________________
>
> Jaime Blasco
>
> www.ossim.com
> www.alienvault.com
> Email: jaime.blasco at alienvault.com
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090519/f8c7efb8/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic