[Snort-users] SMTP Backscatter

waldo kitty wkitty42 at ...14940...
Sun Feb 16 10:25:18 EST 2014

On 2/16/2014 9:54 AM, Dave Corsello wrote:
> Guys, thanks, but I don't need advice on setting up SMTP--at least not
> in this situation.  Just looking for an answer to the following:  Can
> Snort somehow: 1) detect an outgoing 450 4.1.1 error;

yes, it can easily do this...

> and in response, 2) block all incoming SMTP traffic from the sender IP for a
> period of time?

i'm not aware of this ever having been done... *I* do it in my active response 
system but it requires that the system have a way of knowing to reverse the IPs 
and then for it to reverse them during its processing where in the end it issues 
iptables rules to block the remote site... a feature is that at some point in 
the future, the block expires and is removed from iptables...

my response system is a perl 'app' that monitors the default snort ALERT file... 
one can easily code up something similar and create the necessary custom rule(s) 
for snort to use... if you are interested in more details and doing some coding, 
you may contact me offlist if you like...

> A 450 4.1.1 error means "recipient address rejected: unverified
> address: mailbox full or unavailable".  In this case, I'm sending out
> 450 errors because messages are being addressed to random, invalid
> accounts on my domain.  As was suggested, it might be best to just let
> SMTP continue to handle this.  But I view it as an attack of sorts, and

it pretty much is... especially when it might be escalated into a (D)DOS...

> my preference would be to stop it as far out on my perimeter as
> possible.  My apologies in advance if this question exposes ignorance of
> some Snort basics...

its all good ;)

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list