> Somebody suggested using SBL or one of the blacklists, I forget
> which. I'm looking at ways to do that without involving the mail
> server.
That's a much better pursuit than _accepting messages_ in order to see
whether the IP should be/have been allowed to connect.
Still, this kind of anomaly detection usually does directly involve
the mail server in some fashion (either in real-time via Black Ice or
similar wrappers or via tailing actual MTA logs off the box). With the
right setup, blocking at the edge can be the end action (via SSH or
SNMP or what-have-you). The detection _can_ be done via a dedicated
Snort box, but if you've only got one monitor port and one (or zero)
IDSes, chances are you'll want the logs to originate from the host
itself. And it _could_ be done on a router itself, but we all know how
great is, for example, Cisco's mastery of SMTP; thanks, I'll let
someone else decide what's legit traffic. :)
Tailing logs safely from a non-mail box and performing trusted DNSBL
lookups on everything that connects is another interesting way of
doing things, and probably can be done in closer to real-time than the
more sophisticated anomaly regexes/greps. Then again, by definition,
it is not actually responding to locally observed behavior.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]
SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
