Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

creating spam signature

Hey,

I'm trying to create a signature that will fire when e-mails containing multipart/related ; and multipart/alternative. I created 2 individual Sig for each of the content types (Sigid-60004 and 60005)and was getting some hits. The traffic I'm looking to stop contains both Sig's and I'm in the process of creating a Meta Sig. I'm using the AIC HTTP engine and was wondering was this the best engine to examine traffic hitting my mail server? Thanks for any help.

5 REPLIES
Gold

Re: creating spam signature

I don't follow. How did you get the AIC HTTP engine to fire on SMTP traffic? What you're talking about above is MIME encapsulated email right? Take a look at S223. It uses the SMTP state engine, it appears that might be your best choice.

New Member

Re: creating spam signature

Sorry for the confusion, still very green at creating signatures. After looking at the log when the signature fired it was on HTTP traffic (Guess I get too happy after creating my first sig and having it fire). I'll take A look thanks.

New Member

Re: creating spam signature

Can I still look at content type in the SMTP state engine. I have one particular e-mail the gives me a *.gif (about some stock price) and some crazy text not related. After comparing message header from these messages I see that they all had a Content-Type: multipart/related;

type="multipart/alternative".

My plan was to see if I could create a meta signature that would capture the traffic that meet both content types and find more infomation. I'm gettnig the messages from different domains so blocking the source was getting to be too much. Here are some Helo statements that I wasn't sure of:

Received: from [198.54.x.x] (helo=zfjzhh),

Received: from [82.255.x.x] (helo=qitc)

Not sure if that is normal of not, but I didn't see it in other mail messages I recieved. What would be my best approach? Anything that will put me on the path would be great. Thanks in advance.

RRutledge

Gold

Re: creating spam signature

Are you doing this just to practice making sigs? The reality is that it would be difficult to use an IDS/IPS to filter spam. the helo command doesn't necessarily imply SPAM, nor does the use of multipart messages.

New Member

Re: creating spam signature

Spammers are aware of static rules; each gif will probably be unique. They also constantly change IPs. Spam has dramatically increased over the last few months, and will continue to get more sophisticated.

Like the previous poster stated, the IDS will not do a very good job against spam. I would look to another anti-spam solution. We use GFI MailEssentials

120
Views
0
Helpful
5
Replies