LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   using snort to detect possible spammer(s) (https://www.linuxquestions.org/questions/linux-security-4/using-snort-to-detect-possible-spammer-s-324151/)

shengchieh 05-16-2005 05:10 PM

using snort to detect possible spammer(s)
 
To All:

I'm trying to understand how to use SNORT to determine
whether a spammer is using my machine or not. I have
many documentations, but still not understanding what
am I looking for.

PROBLEM

- When I send emails (using POP3/SMTP w/ thunderbird),
once in a while a message returns.
- In my bulk folder, when I log on via the web, I notice
alot of returned emails, i.e., a spammer is spamming
everywhere and the bounced emails are showing up in my
"suspected spam" folder (so the emails never make it
down to my desktop - but that's good).

STRATEGY

I'm trying to figure out if

- my desktop machine is infested (probably not)
- the window server (external of the desktops), that also
has a firewall, is infested
- a spammer is just using my address in the "reply to"
part of the spamming emails.

QUESTION

I'm using SNORT (http://www.snort.org) to figure out whether
my desktop is being abused. The trouble is I don't know
exactly what I'm looking for. Perhap I'm not understanding
the basic philosophy of SNORT.

I've tried snort -v and get alot of data on the screen.
For example, one set of data looks like

05/16-10:12:25.315820 199.107.65.177:80 -> 192.168.1.101:1648
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x4578D44F Ack: 0x72FD8295 Win: 0x2180 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3996598544 922509

Exactly what am I looking for? I prefer not to output tons of
stuffs, but enough to determine if someone else is abusing this
desktop. Fyi, I'm the only one, supposed to be on, using Xandros
2.0 (debian-based) and this old Dell Dimension l933r. And I'm
using DSL Yahoo! and a sbcglobal.net account.

Thanks in advance for any help.

Sheng-Chieh

-----

p.s. In case, if anybody else wants, the SNORT docs are at

http://www.snort.org/docs/
http://neworder.box.sk/newsread.php?newsid=7646
http://www.dpo.uab.edu/~andrewb/snor...doc/snort.html
http://www.jpsdomain.org/infosec/snort.html
http://www.ntsug.org/docs.html
http://www.inmon.com/tutorials/ids.php

Matir 05-16-2005 06:17 PM

I would NOT use snort for this. Snort looks for suspicious traffic. To be real about it, spammers do not produce 'suspicious' traffic: they just send email. I'd start with logs from the mail server you are running.

shengchieh 05-16-2005 09:10 PM

> I would NOT use snort for this. Snort looks for suspicious traffic. To be real about it,
> spammers do not produce 'suspicious' traffic: they just send email. I'd start with logs
> from the mail server you are running.

Thank you for replying.

And how do I access the logs from my mail server?
Again, I'm using thunderbird.

Sheng-Chieh

Matir 05-16-2005 09:25 PM

Are you not running a mailserver on one of your computers? Are you only using your ISP's mailserver?

shengchieh 05-17-2005 12:08 PM

I'm not sure I'm doing, so let me give you the setup
(and you can figure it out).

This house has a window server with a firewall.
"Inside" is my xandros (debian-based) desktop.
I'm using thunderbird to POP3/SMTP my emails.
Nothing fancy (no corporate email system).

Again, I'm using a sbcglobal.net account provided
by DSL Yahoo! I'm guessing they have the mail server,
not me. Correct?

If I have no mail server, then what step(s) should I take
to solve my problem (see above)?

Sheng-Chieh

Matir 05-17-2005 11:35 PM

In that case, you should look at system-level security for your answers. Run a script like 'chkrootkit' or 'rkhunter' on your Xandros desktop. Look for suspicious users or processes. If you don't find any, you're probably clean. On your windows machine, run standard anti-virus and anti-spyware tools. If all these are clean, my guess is the spammer is just placing your address in the 'From' field of his emails.


All times are GMT -5. The time now is 04:31 PM.