# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------------
# POLICY-SPAM RULES
#-------------------

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi"; metadata:ruleset community, service smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM local user attempted to fill out paypal phishing form"; flow:to_server,established; content:"POST"; http_method; content:"/logindo.php"; fast_pattern:only; http_uri; content:"partner="; nocase; http_client_body; content:"&login="; distance:0; nocase; http_client_body; content:"&user="; distance:0; nocase; http_client_body; content:"&pass="; distance:0; nocase; http_client_body; content:"&submit="; distance:0; nocase; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1192; classtype:suspicious-login; sid:21637; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM appledownload.com known spam email attempt"; flow:to_server, established; content:"appledownload.com"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.tuaw.com/2011/05/18/new-phishing-email-pretends-to-be-from-apples-online-store/; classtype:policy-violation; sid:19122; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM visiopharm-3d.eu known spam email attempt"; flow:to_server, established; content:" visiopharm-3d.eu"; nocase; metadata:service smtp; classtype:policy-violation; sid:19015; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM zueuz.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"zueuz.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18061; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM zeroprices.ru known spam email attempt"; flow:to_server, established; content:"zeroprices.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18060; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM yzugez.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"yzugez.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18059; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM yomy.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"yomy.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18058; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ymyuto.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"ymyuto.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18057; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ylum.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"ylum.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18056; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM yit.medicdrugsxor.ru known spam email attempt"; flow:to_server, established; content:"yit.medicdrugsxor.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18055; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ygy.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"ygy.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18054; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM xob.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"xob.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18053; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM www.visitcover.ru known spam email attempt"; flow:to_server, established; content:"www.visitcover.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18052; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM www.buhni.ru known spam email attempt"; flow:to_server, established; content:"www.buhni.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18051; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM world.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"world.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18050; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM word.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"word.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18049; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM was.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"was.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18048; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM voiceless.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"voiceless.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18047; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM via.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"via.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18046; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM variation.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"variation.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18045; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uuji.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"uuji.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18044; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM utuqaj.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"utuqaj.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18043; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM upazo.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"upazo.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18042; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM unasu.medicdrugsxto.ru known spam email attempt"; flow:to_server, established; content:"unasu.medicdrugsxto.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18041; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uielij.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"uielij.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18040; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uf.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"uf.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18039; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM uboi.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"uboi.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18038; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tyqaja.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"tyqaja.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18037; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM twodays.ru known spam email attempt"; flow:to_server, established; content:"twodays.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18036; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM trusting-me.ru known spam email attempt"; flow:to_server, established; content:"trusting-me.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18035; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM trails.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"trails.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18034; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM to.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"to.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18033; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM the.onlineruggiero33q.ru known spam email attempt"; flow:to_server, established; content:"the.onlineruggiero33q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18032; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM the.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"the.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18031; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tanuen.dimedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"tanuen.dimedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18030; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabwebster77c.ru known spam email attempt"; flow:to_server, established; content:"tabwebster77c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18029; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tablangston19a.ru known spam email attempt"; flow:to_server, established; content:"tablangston19a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18028; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabgordan13n.ru known spam email attempt"; flow:to_server, established; content:"tabgordan13n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18027; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabdarin80s.ru known spam email attempt"; flow:to_server, established; content:"tabdarin80s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18026; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM sya.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"sya.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18025; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM store-softwarebuy-7.ru known spam email attempt"; flow:to_server, established; content:"store-softwarebuy-7.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18024; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM starring.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"starring.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18023; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM specialyou.ru known spam email attempt"; flow:to_server, established; content:"specialyou.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18022; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM software-buyshop-7.ru known spam email attempt"; flow:to_server, established; content:"software-buyshop-7.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18021; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ryhux.medicdrugsxpa.ru known spam email attempt"; flow:to_server, established; content:"ryhux.medicdrugsxpa.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18020; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ruuav.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"ruuav.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18019; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM riwaro.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"riwaro.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18018; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM right.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"right.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18017; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM returning.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"returning.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18016; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM research.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"research.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18015; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM reobaj.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"reobaj.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18014; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM records.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"records.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18013; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM recently.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"recently.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18012; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pillrolfe64l.ru known spam email attempt"; flow:to_server, established; content:"pillrolfe64l.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18011; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oxuc.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"oxuc.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18010; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ouu.almedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"ouu.almedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18009; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM orderbuzz.ru known spam email attempt"; flow:to_server, established; content:"orderbuzz.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18008; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM opy.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"opy.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18007; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM onotye.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"onotye.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18006; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oji.medicdrugsxto.ru known spam email attempt"; flow:to_server, established; content:"oji.medicdrugsxto.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18005; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oipek.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"oipek.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18004; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM of.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"of.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18003; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM of.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"of.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18002; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM of.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"of.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18001; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oeqio.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"oeqio.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:18000; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oekaka.aimedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"oekaka.aimedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17999; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM odoog.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"odoog.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17998; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM odimys.medicdrugsxlb.ru known spam email attempt"; flow:to_server, established; content:"odimys.medicdrugsxlb.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17997; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM niqiv.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"niqiv.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17996; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM negotiations.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"negotiations.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17995; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM nazuwu.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"nazuwu.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17994; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM minionspre.ru known spam email attempt"; flow:to_server, established; content:"minionspre.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17993; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medpenny17j.ru known spam email attempt"; flow:to_server, established; content:"medpenny17j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17992; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM masa.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"masa.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17991; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM manila.onlinephilbert42f.ru known spam email attempt"; flow:to_server, established; content:"manila.onlinephilbert42f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17990; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM lybah.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"lybah.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17989; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM koosaf.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"koosaf.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17988; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jyzyv.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"jyzyv.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17987; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jyn.medicdrugsxdl.ru known spam email attempt"; flow:to_server, established; content:"jyn.medicdrugsxdl.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17986; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM joseph.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"joseph.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17985; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM john.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"john.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17984; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jex.remedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"jex.remedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17983; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jael.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"jael.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17982; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jaecoh.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"jaecoh.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17981; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iyw.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"iyw.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17980; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iycyde.medicdrugsxco.ru known spam email attempt"; flow:to_server, established; content:"iycyde.medicdrugsxco.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17979; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iweqyz.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"iweqyz.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17978; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ive.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"ive.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17977; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM itaca.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"itaca.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17976; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM is.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"is.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17975; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iqor.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"iqor.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17974; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ipiig.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"ipiig.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17973; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM inunuw.medicdrugsxpo.ru known spam email attempt"; flow:to_server, established; content:"inunuw.medicdrugsxpo.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17972; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM intelpost.ru known spam email attempt"; flow:to_server, established; content:"intelpost.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17971; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM in.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"in.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17970; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iner.medicdrugsxdl.ru known spam email attempt"; flow:to_server, established; content:"iner.medicdrugsxdl.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17969; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iki.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"iki.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17968; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM iiy.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"iiy.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17967; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM icysa.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"icysa.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17966; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM hyem.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"hyem.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17965; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM huhuh.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"huhuh.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17964; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM headtest.ru known spam email attempt"; flow:to_server, established; content:"headtest.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17963; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM have.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"have.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17962; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM has.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"has.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17961; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM gueepa.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"gueepa.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17960; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM goyry.ramedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"goyry.ramedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17959; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM generality.onlinehill21q.ru known spam email attempt"; flow:to_server, established; content:"generality.onlinehill21q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17958; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM food.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"food.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17957; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fauxy.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"fauxy.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17956; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fashionchannel.ru known spam email attempt"; flow:to_server, established; content:"fashionchannel.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17955; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eyu.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"eyu.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17954; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM exa.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"exa.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17953; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erol.camedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"erol.camedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17952; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectgodart30s.ru known spam email attempt"; flow:to_server, established; content:"erectgodart30s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17951; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM epeno.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"epeno.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17950; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM elik.drugslevy46b.ru known spam email attempt"; flow:to_server, established; content:"elik.drugslevy46b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17949; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM election.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"election.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17948; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eka.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"eka.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17947; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ehyw.cumedicdrugsx.ru known spam email attempt"; flow:to_server, established; content:"ehyw.cumedicdrugsx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17946; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM egi.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"egi.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17945; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eeez.onlinehamel83i.ru known spam email attempt"; flow:to_server, established; content:"eeez.onlinehamel83i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17944; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM eaihar.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"eaihar.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17943; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM dypoh.erectjefferey85n.ru known spam email attempt"; flow:to_server, established; content:"dypoh.erectjefferey85n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17942; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM dux.erectnoll24k.ru known spam email attempt"; flow:to_server, established; content:"dux.erectnoll24k.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17941; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsgeorge65g.ru known spam email attempt"; flow:to_server, established; content:"drugsgeorge65g.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17940; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM divyo.pillking74s.ru known spam email attempt"; flow:to_server, established; content:"divyo.pillking74s.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17939; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM direct.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"direct.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17938; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM diet.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"diet.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17937; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM delegate.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"delegate.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17936; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM deepcenter.ru known spam email attempt"; flow:to_server, established; content:"deepcenter.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17935; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM cyacaz.pilltodd73p.ru known spam email attempt"; flow:to_server, established; content:"cyacaz.pilltodd73p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17934; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM current.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"current.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17933; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM cswjlxey.ru known spam email attempt"; flow:to_server, established; content:"cswjlxey.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17932; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM compensate.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"compensate.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17931; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM classification.refillreade47j.ru known spam email attempt"; flow:to_server, established; content:"classification.refillreade47j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17930; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM chula.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"chula.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17929; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM chemist.onlineruggiero33q.ru known spam email attempt"; flow:to_server, established; content:"chemist.onlineruggiero33q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17928; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM cardinals.refilldud86o.ru known spam email attempt"; flow:to_server, established; content:"cardinals.refilldud86o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17927; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM by.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"by.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17926; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM back.pharmroyce83b.ru known spam email attempt"; flow:to_server, established; content:"back.pharmroyce83b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17925; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM azo.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"azo.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17924; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM axoseb.medicdrugsxck.ru known spam email attempt"; flow:to_server, established; content:"axoseb.medicdrugsxck.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17923; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ava.refilleldredge89r.ru known spam email attempt"; flow:to_server, established; content:"ava.refilleldredge89r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17922; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM argue.medrayner44c.ru known spam email attempt"; flow:to_server, established; content:"argue.medrayner44c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17921; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM aobuii.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"aobuii.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17920; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM akiq.onlinetommie54y.ru known spam email attempt"; flow:to_server, established; content:"akiq.onlinetommie54y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17919; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM aaof.onlinelewiss22r.ru known spam email attempt"; flow:to_server, established; content:"aaof.onlinelewiss22r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17918; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM signpearl.ru known spam email attempt"; flow:to_server, established; content:"signpearl.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17033; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM centtry.ru known spam email attempt"; flow:to_server, established; content:"centtry.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17032; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fewvalley.ru known spam email attempt"; flow:to_server, established; content:"fewvalley.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17030; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tenderpower.ru known spam email attempt"; flow:to_server, established; content:"tenderpower.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17029; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM scoreenjoy.ru known spam email attempt"; flow:to_server, established; content:"scoreenjoy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17027; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM redlead.ru known spam email attempt"; flow:to_server, established; content:"redlead.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17026; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM thoughthese.ru known spam email attempt"; flow:to_server, established; content:"thoughthese.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17025; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM writeobject.ru known spam email attempt"; flow:to_server, established; content:"writeobject.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17024; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM hillfoot.ru known spam email attempt"; flow:to_server, established; content:"hillfoot.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17023; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM thatmile.ru known spam email attempt"; flow:to_server, established; content:"thatmile.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17022; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM nearpass.ru known spam email attempt"; flow:to_server, established; content:"nearpass.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17021; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM sheerwheel.ru known spam email attempt"; flow:to_server, established; content:"sheerwheel.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17020; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ensureequate.ru known spam email attempt"; flow:to_server, established; content:"ensureequate.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17018; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM beatmoon.ru known spam email attempt"; flow:to_server, established; content:"beatmoon.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17017; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM boxdouble.ru known spam email attempt"; flow:to_server, established; content:"boxdouble.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17016; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pamperletter.ru known spam email attempt"; flow:to_server, established; content:"pamperletter.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17015; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM rowsay.ru known spam email attempt"; flow:to_server, established; content:"rowsay.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17014; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM reapcomfy.ru known spam email attempt"; flow:to_server, established; content:"reapcomfy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17013; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oneus.ru known spam email attempt"; flow:to_server, established; content:"oneus.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17012; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM beginwisdom.ru known spam email attempt"; flow:to_server, established; content:"beginwisdom.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17011; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM starknow.ru known spam email attempt"; flow:to_server, established; content:"starknow.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17010; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM butleft.ru known spam email attempt"; flow:to_server, established; content:"butleft.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17009; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM hisoffer.ru known spam email attempt"; flow:to_server, established; content:"hisoffer.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17008; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmerastus.ru known spam email attempt"; flow:to_server, established; content:"pharmerastus.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17007; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM lovingover.ru known spam email attempt"; flow:to_server, established; content:"lovingover.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17006; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM paintwater.ru known spam email attempt"; flow:to_server, established; content:"paintwater.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17005; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 2047757.kaskad-travel.ru known spam email attempt"; flow:to_server, established; content:"2047757.kaskad-travel.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17004; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM younglaugh.ru known spam email attempt"; flow:to_server, established; content:"younglaugh.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17003; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM swellliquid.ru known spam email attempt"; flow:to_server, established; content:"swellliquid.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17002; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM dillonline.ru known spam email attempt"; flow:to_server, established; content:"dillonline.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17001; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM ximenezdrug.ru known spam email attempt"; flow:to_server, established; content:"ximenezdrug.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17000; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM jasemed.ru known spam email attempt"; flow:to_server, established; content:"jasemed.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16999; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsnevile.ru known spam email attempt"; flow:to_server, established; content:"drugsnevile.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16998; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM giacoporx.ru known spam email attempt"; flow:to_server, established; content:"giacoporx.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16997; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM quincytab.ru known spam email attempt"; flow:to_server, established; content:"quincytab.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16996; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM miltyrefil.ru known spam email attempt"; flow:to_server, established; content:"miltyrefil.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16995; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM abletool.ru known spam email attempt"; flow:to_server, established; content:"abletool.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16994; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabwinn2a.ru known spam email attempt"; flow:to_server, established; content:"tabwinn2a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16993; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM liquideat.ru known spam email attempt"; flow:to_server, established; content:"liquideat.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16992; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM fruitone.ru known spam email attempt"; flow:to_server, established; content:"fruitone.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16991; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM nextmail.ru known spam email attempt"; flow:to_server, established; content:"nextmail.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16990; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabferd49a.ru known spam email attempt"; flow:to_server, established; content:"tabferd49a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16989; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM moderneight.ru known spam email attempt"; flow:to_server, established; content:"moderneight.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16988; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabemmerich86b.ru known spam email attempt"; flow:to_server, established; content:"tabemmerich86b.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16987; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM extoleye.ru known spam email attempt"; flow:to_server, established; content:"extoleye.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16985; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM freshmuch.ru known spam email attempt"; flow:to_server, established; content:"freshmuch.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16984; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM heatsettle.ru known spam email attempt"; flow:to_server, established; content:"heatsettle.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16983; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 64.com1.ru known spam email attempt"; flow:to_server, established; content:"64.com1.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16982; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM livelycall.ru known spam email attempt"; flow:to_server, established; content:"livelycall.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16981; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM stillvisit.ru known spam email attempt"; flow:to_server, established; content:"stillvisit.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16980; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM solvecalm.ru known spam email attempt"; flow:to_server, established; content:"solvecalm.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16979; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM outhave.ru known spam email attempt"; flow:to_server, established; content:"outhave.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16978; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM energypotent.ru known spam email attempt"; flow:to_server, established; content:"energypotent.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16977; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM logzest.ru known spam email attempt"; flow:to_server, established; content:"logzest.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16976; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM oldsheer.ru known spam email attempt"; flow:to_server, established; content:"oldsheer.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16975; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM numberenough.ru known spam email attempt"; flow:to_server, established; content:"numberenough.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16974; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM milklowly.ru known spam email attempt"; flow:to_server, established; content:"milklowly.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16973; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsrey95a.ru known spam email attempt"; flow:to_server, established; content:"drugsrey95a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16972; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM mystick.ru known spam email attempt"; flow:to_server, established; content:"mystick.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16971; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsmayne5a.ru known spam email attempt"; flow:to_server, established; content:"drugsmayne5a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16970; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM steadfig.ru known spam email attempt"; flow:to_server, established; content:"steadfig.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16969; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM bassmax.ru known spam email attempt"; flow:to_server, established; content:"bassmax.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16968; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM wereif.ru known spam email attempt"; flow:to_server, established; content:"wereif.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16967; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM thingpath.ru known spam email attempt"; flow:to_server, established; content:"thingpath.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16966; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM givehome.ru known spam email attempt"; flow:to_server, established; content:"givehome.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16965; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM smellexact.ru known spam email attempt"; flow:to_server, established; content:"smellexact.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16964; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erecttaylor49i.ru known spam email attempt"; flow:to_server, established; content:"erecttaylor49i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16963; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM onlinelovell30p.ru known spam email attempt"; flow:to_server, established; content:"onlinelovell30p.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16962; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsdemott21o.ru known spam email attempt"; flow:to_server, established; content:"drugsdemott21o.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16961; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectvincent21v.ru known spam email attempt"; flow:to_server, established; content:"erectvincent21v.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16960; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medforster79j.ru known spam email attempt"; flow:to_server, established; content:"medforster79j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16959; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tablennard88q.ru known spam email attempt"; flow:to_server, established; content:"tablennard88q.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16958; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabmario94r.ru known spam email attempt"; flow:to_server, established; content:"tabmario94r.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16957; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medebeneser68c.ru known spam email attempt"; flow:to_server, established; content:"medebeneser68c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16956; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugspenn84f.ru known spam email attempt"; flow:to_server, established; content:"drugspenn84f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16955; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pillgaylor21n.ru known spam email attempt"; flow:to_server, established; content:"pillgaylor21n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16954; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medgaultiero11e.ru known spam email attempt"; flow:to_server, established; content:"medgaultiero11e.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16953; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmharman55y.ru known spam email attempt"; flow:to_server, established; content:"pharmharman55y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16952; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugsjudd45f.ru known spam email attempt"; flow:to_server, established; content:"drugsjudd45f.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16951; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabscotti71i.ru known spam email attempt"; flow:to_server, established; content:"tabscotti71i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16950; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectnormie71a.ru known spam email attempt"; flow:to_server, established; content:"erectnormie71a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16949; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM onlineheindrick60i.ru known spam email attempt"; flow:to_server, established; content:"onlineheindrick60i.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16948; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmrolland95h.ru known spam email attempt"; flow:to_server, established; content:"pharmrolland95h.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16947; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pillrenault15j.ru known spam email attempt"; flow:to_server, established; content:"pillrenault15j.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16946; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM tabwinn77t.ru known spam email attempt"; flow:to_server, established; content:"tabwinn77t.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16945; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pilldory92n.ru known spam email attempt"; flow:to_server, established; content:"pilldory92n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16944; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM erectguthry99c.ru known spam email attempt"; flow:to_server, established; content:"erectguthry99c.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16943; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugshayyim77n.ru known spam email attempt"; flow:to_server, established; content:"drugshayyim77n.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16942; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM drugshershel38w.ru known spam email attempt"; flow:to_server, established; content:"drugshershel38w.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16941; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM medfreddie55a.ru known spam email attempt"; flow:to_server, established; content:"medfreddie55a.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16940; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM refillleonardo59y.ru known spam email attempt"; flow:to_server, established; content:"refillleonardo59y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16939; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pharmrik66y.ru known spam email attempt"; flow:to_server, established; content:"pharmrik66y.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:16938; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM bestdrug-store.com known spam email attempt"; flow:to_server, established; content:"bestdrug-store.com"; nocase; metadata:service smtp; classtype:policy-violation; sid:16937; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM xoposuhop.cn xoposuhop.cn known spam email attempt"; flow:to_server, established; content:"xoposuhop.cn"; nocase; metadata:service smtp; classtype:policy-violation; sid:16936; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM sjtu-edp.cn known spam email attempt"; flow:to_server, established; content:"sjtu-edp.cn"; nocase; metadata:service smtp; classtype:policy-violation; sid:16935; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM pku-edp.cn known spam email attempt"; flow:to_server, established; content:"pku-edp.cn"; nocase; metadata:service smtp; classtype:policy-violation; sid:16934; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SPAM FedEX spam campaign outbound connection"; flow:to_server,established; content:"/main.php?label="; nocase; http_uri; content:"= HTTP/"; metadata:impact_flag red, service http; classtype:trojan-activity; sid:27604; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same"; flow:to_client,established; content:"statement"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29399; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same"; flow:to_client,established; content:"voicemail"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29398; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same"; flow:to_client,established; content:"Shipping"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29397; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same"; flow:to_client,established; content:"Receipt"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29396; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt"; flow:to_server,established; file_data; content:"@font-face"; nocase; content:"url|28|"; within:500; nocase; content:"data:application/font-woff"; within:50; content:"base64"; within:100; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; classtype:policy-violation; sid:48895; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - Web Open Font Format evasion attempt"; flow:to_client,established; file_data; content:"@font-face"; nocase; content:"url|28|"; within:500; nocase; content:"data:application/font-woff"; within:50; content:"base64"; within:100; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1192; classtype:policy-violation; sid:48894; rev:2;)