[Snort-users] SMTP Backscatter

Dave Corsello snort-users at ...15598...
Sun Feb 16 09:54:51 EST 2014

Guys, thanks, but I don't need advice on setting up SMTP--at least not
in this situation.  Just looking for an answer to the following:  Can
Snort somehow: 1) detect an outgoing 450 4.1.1 error; and in response,
2) block all incoming SMTP traffic from the sender IP for a period of
time?  A 450 4.1.1 error means "recipient address rejected: unverified
address: mailbox full or unavailable".  In this case, I'm sending out
450 errors because messages are being addressed to random, invalid
accounts on my domain.  As was suggested, it might be best to just let
SMTP continue to handle this.  But I view it as an attack of sorts, and
my preference would be to stop it as far out on my perimeter as
possible.  My apologies in advance if this question exposes ignorance of
some Snort basics...

More information about the Snort-users mailing list