Intrusion Detection Systems mailing list archives

Re: IDS engines put this together

From: bradipo () xmission com (Andy Bradford)
Date: Tue, 13 Jun 2000 21:03:53 -0600


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Thus said "Marcus J. Ranum" on Mon, 12 Jun 2000 14:13:04 EDT:

You can have an NFR generate an alert if there are more
than a certain number of RCPT:s for a message. But I
think it'll be hard to come up with a perfect algorithm
for determining spam from desirable bulk mailings. That's
the real trick. We have all the other pieces of the puzzle
except that one.


There is always the tarpit solution... :-)  After a determined number 
of RCPT TO: are received it starts taking forever to return the ACK for 
each one.  (not really an ACK, but you know what I mean).

Andy

-- 
[-----------[system uptime]--------------------------------------------]
  9:03pm  up 15 days,  4:14,  3 users,  load average: 1.15, 1.21, 1.22

Current thread:

Re: connection request to port 25, (continued)
- - Re: connection request to port 25 Carric Dooley (Jun 12)
  - Does anyone know if there is a firewall in the market that does not filter out ip packets with source route option filled in. Akshay Kumar Sreeramoju (Jun 12)
  - Re: connection request to port 25 Joe Dauncey (Jun 18)
- Re: IDS engines put this together Greg Shipley (Jun 12)
- port 25 Tim Slighter (Jun 12)
- Re: IDS engines put this together Martin Roesch (Jun 12)
- Re: IDS engines put this together Marcus J. Ranum (Jun 12)
- Re: IDS engines put this together Marcus J. Ranum (Jun 12)
- Re: IDS engines put this together Martin Roesch (Jun 13)
- Re: IDS engines put this together Mark.Teicher () predictive com (Jun 13)
- Re: IDS engines put this together Andy Bradford (Jun 13)