[Snort-users] SMTP Backscatter
snort-users at ...15598...
Fri Feb 14 14:29:19 EST 2014
I've been getting a lot of SMTP backscatter over the past few weeks.
I'm looking for a way to use Snort to stop as much of this traffic as
possible before it hits my mail server. I was achieving this by
manually harvesting IP addresses from my maillog and feeding them into
Snort's reputation preprocessor. But I wonder if somehow Snort
filtering or some other feature can provide an automated way to block
offending traffic. Can Snort somehow: 1) detect an outgoing 450 4.1.1
error; and in response, 2) block all incoming SMTP traffic from the
sender IP for a period of time? I think Snortsam was capable of doing
this by tracking events by IP and acting in conjunction with a
firewall. Is it possible to get a similar effect with standard Snort
features? I think the answer is "no", but I wanted to confirm this.
More information about the Snort-users