[Snort-sigs] Using snort to stop SMTP dictionary attacks

david at ...1572... david at ...1572...
Fri Jun 6 05:33:04 EDT 2003

You will have a *much* easier time implementing this in your mailserver rather than using snort.  The kind of blocking you are looking to do is a lot easier when the program doing the blocking has access to all the data it needs to determine whether or not a connection is good.  Depending on the mailserver you are running you should be able to tarpit people making multiple connections, limit consecuative connections to some small number, or create a running list of IP addresses to refuse connections from.  Doing this using snort is only going to give you a painful headache and a bunch of weird mailserver behavior down the line.

-David Powers

> Hey guys,
> I'm fairly new to this list so I apologize if I do something newbieish.
> I've searched dejanews already and have found nothing, so I am here.
> I would like to know if there is a way to use snort to detect SMTP
> address harvesting attempts, and alert on them, and also do TCP resets
> of the SMTP session when it detects a harvesting attempt.
> I think something like this would be VERY valuable to have.
> I'm using Snort 2.0 with MySQL, in conjunction with Demarc PureSecure.
> Thanks in advance!
> Steve Cody
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list