alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:48 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)

Added 2011-10-12 19:11:15 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002087; sid:2002087; rev:10;)

Added 2011-09-14 21:14:05 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid:2002087; rev:10;)

Added 2011-02-04 17:21:42 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid:2002087; rev:9;)

Added 2010-06-28 22:46:59 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid:2002087; rev:9;)

Added 2010-06-28 22:46:59 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid: 2002087; rev:9;)

Added 2009-02-11 19:24:43 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid: 2002087; rev:9;)

Added 2009-02-11 19:24:43 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:8;)

Added 2008-01-31 18:48:10 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:8;)

Added 2008-01-31 18:48:10 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:7;)

Added 2007-03-12 18:11:47 UTC


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot Inbound"; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:6;)

Added 2007-03-12 11:00:34 UTC

I added the content:"mail from\:"; nocase; in place of flags S,12. Hopefully this will make the sig more meaningful. It'll only trip is mail is actually passing or being reasonably attempted.

-- MattJonkman - 12 Mar 2007


alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flags: S,12; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:5;)



Topic revision: r2 - 2007-03-12 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats