using snort to detect possible spammer(s)
To All:
I'm trying to understand how to use SNORT to determine whether a spammer is using my machine or not. I have many documentations, but still not understanding what am I looking for. PROBLEM - When I send emails (using POP3/SMTP w/ thunderbird), once in a while a message returns. - In my bulk folder, when I log on via the web, I notice alot of returned emails, i.e., a spammer is spamming everywhere and the bounced emails are showing up in my "suspected spam" folder (so the emails never make it down to my desktop - but that's good). STRATEGY I'm trying to figure out if - my desktop machine is infested (probably not) - the window server (external of the desktops), that also has a firewall, is infested - a spammer is just using my address in the "reply to" part of the spamming emails. QUESTION I'm using SNORT (http://www.snort.org) to figure out whether my desktop is being abused. The trouble is I don't know exactly what I'm looking for. Perhap I'm not understanding the basic philosophy of SNORT. I've tried snort -v and get alot of data on the screen. For example, one set of data looks like 05/16-10:12:25.315820 199.107.65.177:80 -> 192.168.1.101:1648 TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x4578D44F Ack: 0x72FD8295 Win: 0x2180 TcpLen: 32 TCP Options (3) => NOP NOP TS: 3996598544 922509 Exactly what am I looking for? I prefer not to output tons of stuffs, but enough to determine if someone else is abusing this desktop. Fyi, I'm the only one, supposed to be on, using Xandros 2.0 (debian-based) and this old Dell Dimension l933r. And I'm using DSL Yahoo! and a sbcglobal.net account. Thanks in advance for any help. Sheng-Chieh ----- p.s. In case, if anybody else wants, the SNORT docs are at http://www.snort.org/docs/ http://neworder.box.sk/newsread.php?newsid=7646 http://www.dpo.uab.edu/~andrewb/snor...doc/snort.html http://www.jpsdomain.org/infosec/snort.html http://www.ntsug.org/docs.html http://www.inmon.com/tutorials/ids.php |
I would NOT use snort for this. Snort looks for suspicious traffic. To be real about it, spammers do not produce 'suspicious' traffic: they just send email. I'd start with logs from the mail server you are running.
|
> I would NOT use snort for this. Snort looks for suspicious traffic. To be real about it,
> spammers do not produce 'suspicious' traffic: they just send email. I'd start with logs > from the mail server you are running. Thank you for replying. And how do I access the logs from my mail server? Again, I'm using thunderbird. Sheng-Chieh |
Are you not running a mailserver on one of your computers? Are you only using your ISP's mailserver?
|
I'm not sure I'm doing, so let me give you the setup
(and you can figure it out). This house has a window server with a firewall. "Inside" is my xandros (debian-based) desktop. I'm using thunderbird to POP3/SMTP my emails. Nothing fancy (no corporate email system). Again, I'm using a sbcglobal.net account provided by DSL Yahoo! I'm guessing they have the mail server, not me. Correct? If I have no mail server, then what step(s) should I take to solve my problem (see above)? Sheng-Chieh |
In that case, you should look at system-level security for your answers. Run a script like 'chkrootkit' or 'rkhunter' on your Xandros desktop. Look for suspicious users or processes. If you don't find any, you're probably clean. On your windows machine, run standard anti-virus and anti-spyware tools. If all these are clean, my guess is the spammer is just placing your address in the 'From' field of his emails.
|
All times are GMT -5. The time now is 04:31 PM. |