Re: IDS engines put this together

[Mark.Teicher () predictive com (Mark.Teicher () predictive com)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Actually it is fairly easy to integrate the RBL logic into some pretty 
fancy NFR N-code and also to generate alerts for x number of RCPT's for a 
message.

The algorithm is fairly straight forward, getting everything to work 
without flooding the NFR console is another story altogether.. :)

/m

"Marcus J. Ranum" <mjr () nfr net>
Sent by: owner-ids () uow edu au
06/12/00 11:13 AM

 
        To:     Greg Shipley <gshipley () neohapsis com>
        cc:     ids () uow edu au
        Subject:        Re: IDS: IDS engines put this together

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Greg Shipley wrote:
> Do current NIDS have signatures for SAPMing?

You can have an NFR generate an alert if there are more
than a certain number of RCPT:s for a message. But I
think it'll be hard to come up with a perfect algorithm
for determining spam from desirable bulk mailings. That's
the real trick. We have all the other pieces of the puzzle
except that one.

mjr.

-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://pubweb.nfr.net/~mjr