Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
5
Replies

creating spam signature

rrutledge
Level 1
Level 1

‎12-12-2006 11:45 AM - edited ‎03-10-2019 03:22 AM

Hey,

I'm trying to create a signature that will fire when e-mails containing multipart/related ; and multipart/alternative. I created 2 individual Sig for each of the content types (Sigid-60004 and 60005)and was getting some hits. The traffic I'm looking to stop contains both Sig's and I'm in the process of creating a Meta Sig. I'm using the AIC HTTP engine and was wondering was this the best engine to examine traffic hitting my mail server? Thanks for any help.

Labels:
0 Helpful
5 Replies 5

mhellman
Level 7
Level 7

‎12-12-2006 01:53 PM

I don't follow. How did you get the AIC HTTP engine to fire on SMTP traffic? What you're talking about above is MIME encapsulated email right? Take a look at S223. It uses the SMTP state engine, it appears that might be your best choice.

0 Helpful

rrutledge
Level 1
Level 1
In response to mhellman

‎12-13-2006 06:25 AM

Sorry for the confusion, still very green at creating signatures. After looking at the log when the signature fired it was on HTTP traffic (Guess I get too happy after creating my first sig and having it fire). I'll take A look thanks.

0 Helpful

rrutledge
Level 1
Level 1
In response to rrutledge

‎12-14-2006 08:44 AM

Can I still look at content type in the SMTP state engine. I have one particular e-mail the gives me a *.gif (about some stock price) and some crazy text not related. After comparing message header from these messages I see that they all had a Content-Type: multipart/related;

type="multipart/alternative".

My plan was to see if I could create a meta signature that would capture the traffic that meet both content types and find more infomation. I'm gettnig the messages from different domains so blocking the source was getting to be too much. Here are some Helo statements that I wasn't sure of:

Received: from [198.54.x.x] (helo=zfjzhh),

Received: from [82.255.x.x] (helo=qitc)

Not sure if that is normal of not, but I didn't see it in other mail messages I recieved. What would be my best approach? Anything that will put me on the path would be great. Thanks in advance.

RRutledge

0 Helpful

mhellman
Level 7
Level 7
In response to rrutledge

‎12-18-2006 12:51 PM

Are you doing this just to practice making sigs? The reality is that it would be difficult to use an IDS/IPS to filter spam. the helo command doesn't necessarily imply SPAM, nor does the use of multipart messages.

0 Helpful

usanitary
Level 1
Level 1
In response to rrutledge

‎01-10-2007 03:40 PM

Spammers are aware of static rules; each gif will probably be unique. They also constantly change IPs. Spam has dramatically increased over the last few months, and will continue to get more sophisticated.

Like the previous poster stated, the IDS will not do a very good job against spam. I would look to another anti-spam solution. We use GFI MailEssentials

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card