Snort mailing list archives

RE: [Snort-sigs] capture email

From: "Snort" <Snort () intercept net>
Date: Tue, 4 Nov 2003 11:34:51 -0500

You might want this option for postfix, have it bcc a new e-mail box on your groupwise server and setup rules that will 
delete all e-mails except those destined for your teacher or coming from that suspected student.

The postfix always_bcc parameter is what you're looking for: 
/usr/share/doc/packages/postfix/samples/sample-misc.cf: 

# The always_bcc parameter specifies an optional address that 
# receives a copy of each message that enters the Postfix system, 
# not including bounces that are generated locally. 
# 
always_bcc = 

Michael

-----Original Message-----
From: Ricardo Londono [mailto:rlondono () ccisd net] 
Posted At: Tuesday, November 04, 2003 10:00 AM
Posted To: Snort
Conversation: [Snort-sigs] capture email
Subject: RE: [Snort-sigs] capture email

I run Postfix.  I looked at ProcMail but I can't seem to find any info when running PostFix as MTA or Relay...  I don't 
perform any local delivery at all.  Mail gets forward to GroupWise server.

Ricardo

Robert Wagner <rwagner () eruces com> 11/4/2003 8:26:33 AM >>>

Look at sendmail milter.  Create a milter rule the routes messages based on
keywords.

-----Original Message-----
From: Ricardo Londono [mailto:rlondono () ccisd net] 
Sent: Tuesday, November 04, 2003 7:59 AM
To: snort-sigs () lists sourceforge net 
Subject: Re: [Snort-sigs] capture email

The legal question is not a problem.  But after thinking about this and
reading the various responses I have to agree that snort is not the right
tool.

I will look at doing this at the MTA level or Mail Server level.

thanks for all responses!

Ricardo

Brian Howard <drivah () ameritech net> 11/4/2003 1:55:37 AM >>>

Snort is really not the appropriate tool for the job of email monitoring.
Before you even head down this road you need to get really good legal
opinion from school district legal dept. on privacy rights and various
federal and depending on your state laws that might apply.

Ricardo Londono wrote:

I saw the following question in the archives and was wondering if this is

possible?  I work for a school  district and we have a student sending
threats via email to a teacher.  The student is using web-based email...


***************************************************************
EMAIL FROM James...
"Wouldn't it be nice to be able to capture an _entire SMTP session_ based

on

a key word embedded somewhere in the SMTP message?  This could easily be
used to look for messages with a specific email address on them, with a
specific key word inside them, etc.

Anyone want to write an SMTP protocol handler?"
***************************************************************

I'm interested in capturing email from a specific email.

thanks for any help.

Ricardo Londoño

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/ 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/ 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: [Snort-sigs] capture email Snort (Nov 04)
- <Possible follow-ups>
- RE: [Snort-sigs] capture email Snort (Nov 04)
- RE: RE: [Snort-sigs] capture email Schmehl, Paul L (Nov 04)
- RE: RE: [Snort-sigs] capture email Ricardo Londono (Nov 05)