LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-16-2005, 05:10 PM   #1
shengchieh
Member
 
Registered: Jul 2004
Location: Palo Alto, CA
Distribution: #! Korora
Posts: 472

Rep: Reputation: 30
Question using snort to detect possible spammer(s)


To All:

I'm trying to understand how to use SNORT to determine
whether a spammer is using my machine or not. I have
many documentations, but still not understanding what
am I looking for.

PROBLEM

- When I send emails (using POP3/SMTP w/ thunderbird),
once in a while a message returns.
- In my bulk folder, when I log on via the web, I notice
alot of returned emails, i.e., a spammer is spamming
everywhere and the bounced emails are showing up in my
"suspected spam" folder (so the emails never make it
down to my desktop - but that's good).

STRATEGY

I'm trying to figure out if

- my desktop machine is infested (probably not)
- the window server (external of the desktops), that also
has a firewall, is infested
- a spammer is just using my address in the "reply to"
part of the spamming emails.

QUESTION

I'm using SNORT (http://www.snort.org) to figure out whether
my desktop is being abused. The trouble is I don't know
exactly what I'm looking for. Perhap I'm not understanding
the basic philosophy of SNORT.

I've tried snort -v and get alot of data on the screen.
For example, one set of data looks like

05/16-10:12:25.315820 199.107.65.177:80 -> 192.168.1.101:1648
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x4578D44F Ack: 0x72FD8295 Win: 0x2180 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3996598544 922509

Exactly what am I looking for? I prefer not to output tons of
stuffs, but enough to determine if someone else is abusing this
desktop. Fyi, I'm the only one, supposed to be on, using Xandros
2.0 (debian-based) and this old Dell Dimension l933r. And I'm
using DSL Yahoo! and a sbcglobal.net account.

Thanks in advance for any help.

Sheng-Chieh

-----

p.s. In case, if anybody else wants, the SNORT docs are at

http://www.snort.org/docs/
http://neworder.box.sk/newsread.php?newsid=7646
http://www.dpo.uab.edu/~andrewb/snor...doc/snort.html
http://www.jpsdomain.org/infosec/snort.html
http://www.ntsug.org/docs.html
http://www.inmon.com/tutorials/ids.php
 
Old 05-16-2005, 06:17 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
I would NOT use snort for this. Snort looks for suspicious traffic. To be real about it, spammers do not produce 'suspicious' traffic: they just send email. I'd start with logs from the mail server you are running.
 
Old 05-16-2005, 09:10 PM   #3
shengchieh
Member
 
Registered: Jul 2004
Location: Palo Alto, CA
Distribution: #! Korora
Posts: 472

Original Poster
Rep: Reputation: 30
> I would NOT use snort for this. Snort looks for suspicious traffic. To be real about it,
> spammers do not produce 'suspicious' traffic: they just send email. I'd start with logs
> from the mail server you are running.

Thank you for replying.

And how do I access the logs from my mail server?
Again, I'm using thunderbird.

Sheng-Chieh
 
Old 05-16-2005, 09:25 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Are you not running a mailserver on one of your computers? Are you only using your ISP's mailserver?
 
Old 05-17-2005, 12:08 PM   #5
shengchieh
Member
 
Registered: Jul 2004
Location: Palo Alto, CA
Distribution: #! Korora
Posts: 472

Original Poster
Rep: Reputation: 30
I'm not sure I'm doing, so let me give you the setup
(and you can figure it out).

This house has a window server with a firewall.
"Inside" is my xandros (debian-based) desktop.
I'm using thunderbird to POP3/SMTP my emails.
Nothing fancy (no corporate email system).

Again, I'm using a sbcglobal.net account provided
by DSL Yahoo! I'm guessing they have the mail server,
not me. Correct?

If I have no mail server, then what step(s) should I take
to solve my problem (see above)?

Sheng-Chieh
 
Old 05-17-2005, 11:35 PM   #6
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
In that case, you should look at system-level security for your answers. Run a script like 'chkrootkit' or 'rkhunter' on your Xandros desktop. Look for suspicious users or processes. If you don't find any, you're probably clean. On your windows machine, run standard anti-virus and anti-spyware tools. If all these are clean, my guess is the spammer is just placing your address in the 'From' field of his emails.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to detect nmap SYN scan w snort jmARC Linux - Security 1 06-09-2005 11:09 AM
A spammer goes to the slammer! Donboy General 27 11-10-2004 10:29 AM
help me track down a spammer kidestranged Linux - Security 14 04-29-2004 09:10 PM
Spammer using my domain mikeyt_333 General 8 02-02-2004 07:49 PM
Help me to find the spammer(s) m_thangbk Linux - General 3 12-30-2002 04:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration