[Snort-users] SMTP Backscatter

Dave Corsello snort-users at ...15598...
Fri Feb 14 14:29:19 EST 2014


I've been getting a lot of SMTP backscatter over the past few weeks. 
I'm looking for a way to use Snort to stop as much of this traffic as
possible before it hits my mail server.  I was achieving this by
manually harvesting IP addresses from my maillog and feeding them into
Snort's reputation preprocessor.  But I wonder if somehow Snort
filtering or some other feature can provide an automated way to block
offending traffic.  Can Snort somehow: 1) detect an outgoing 450 4.1.1
error; and in response, 2) block all incoming SMTP traffic from the
sender IP for a period of time?  I think Snortsam was capable of doing
this by tracking events by IP and acting in conjunction with a
firewall.  Is it possible to get a similar effect with standard Snort
features?  I think the answer is "no", but I wanted to confirm this.


More information about the Snort-users mailing list