Intrusion Detection Systems mailing list archives
RE: IDS engines put this together
From: broyds () Home com (Bill Royds)
Date: Sun, 11 Jun 2000 21:08:58 -0400
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au The pattern is that SMTP has two commands that require name@domain responses. MAIL FROM: and RCPT TO: It is a spam relay attempt if neither of the addresses are in your domain. So an IDS has to detect these two parts of protocol, determine domains and IP block of each response, then determine if the domains are "local" in pattern (local sender then remote recipient or remote sender then local recipient). This requires DNS lookup which many IDS are reluctant to do because it puts a signal on the segment. It might be possible if the IDS could gain relevant domain information at start-up. P.S. By the way your spammer came via Korea Here is lookup information from Sam Spade (tool used to do the spam relay check). 06/11/00 20:57:07 whois 211.54.114.180 () whois nic or kr whois -h whois.nic.or.kr 211.54.114.180 ... Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 ) query: 211.54.114.180 # ENGLISH IP Address : 211.54.114.0-211.54.115.255 Connect ISP Name : KORNET Connect Date : 2000.02.25 Registration Date: 20000411 Network Name : KORNET-INFRA [ Organization Information ] Orgnization ID : ORG85714 Name: KOREA TELECOM State: SEOUL Address: 128-9 Yungun-dong Jongro-gu Zip Code : 110-460 [ Admin Contact Information] Name: Hyunsun Choi Org Name : KOREA TELECOM State: SEOUL Address: 128-9 Yungun-dong Jongro-gu Zip Code : 110-460 Phone: 02-766-1407 Fax: 02-766-5901 E-Mail: packet () soback kornet net [ Technical Contact Information ] Name: Hyunsun Choi Org Name : KOREA TELECOM Address: 128-9 Yungun-dong Jongro-gu Zip Code : 110-460 Phone: 02-766-1407 Fax: 02-766-5901 E-Mail: packet () soback kornet net -----Original Message----- From: owner-ids () uow edu au [mailto:owner-ids () uow edu au]On Behalf Of Lance Spitzner Sent: Sunday, June 11, 2000 13:12 To: ids () uow edu au Subject: IDS: IDS engines put this together Today one of my honeypots was probed for spam relay. Do IDS engines have the 'intelligence' to put this session together and realize the remote system is probing for spam relay sites? Signature is below. My domain name has been sanitized, but all other information is valid. 220 mail.example.com. Sendmail SMI-8.6/SMI-SVR4 ready at Sun, 11 Jun 2000 11:27:42 -0500 HELO MAIL.EXAMPLE.COM 250 mail.example.com. Hello [211.54.114.180], pleased to meet you MAIL FROM:<woqjffirst_at_yahoo.com () MAIL EXAMPLE COM> 250 <woqjffirst_at_yahoo.com () MAIL EXAMPLE COM>... Sender ok RCPT TO:<woqjffirst () yahoo com> 250 <woqjffirst () yahoo com>... Recipient ok DATA 354 Enter mail, end with "." on a line by itself qjffirst () yahoo com From: woqjffirst () yahoo com (Spade relay check) Subject: MAIL.EXAMPLE.COM relay check . 250 LAA14291 Message accepted for delivery QUIT 221 mail.example.com. closing connection Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Current thread:
- IDS engines put this together Lance Spitzner (Jun 11)
- RE: IDS engines put this together Bill Royds (Jun 11)
- connection request to port 25 SHAIFUL HASHIM (Jun 12)
- Re: connection request to port 25 Carric Dooley (Jun 12)
- Does anyone know if there is a firewall in the market that does not filter out ip packets with source route option filled in. Akshay Kumar Sreeramoju (Jun 12)
- Re: connection request to port 25 Joe Dauncey (Jun 18)
- Re: IDS engines put this together Greg Shipley (Jun 12)
- port 25 Tim Slighter (Jun 12)
- Re: IDS engines put this together Martin Roesch (Jun 12)
- <Possible follow-ups>
- Re: IDS engines put this together Marcus J. Ranum (Jun 12)
- Re: IDS engines put this together Marcus J. Ranum (Jun 12)
- Re: IDS engines put this together Martin Roesch (Jun 13)
(Thread continues...)