[Snort-users] SMTP Backscatter

Jeff Kell jeff-kell at ...6282...
Sun Feb 16 10:40:17 EST 2014


On 2/16/2014 10:25 AM, waldo kitty wrote:
> On 2/16/2014 9:54 AM, Dave Corsello wrote:
>> Guys, thanks, but I don't need advice on setting up SMTP--at least not
>> in this situation.  Just looking for an answer to the following:  Can
>> Snort somehow: 1) detect an outgoing 450 4.1.1 error;
> yes, it can easily do this...
>
>> and in response, 2) block all incoming SMTP traffic from the sender IP for a
>> period of time?
> i'm not aware of this ever having been done... 

It may have been possible with certain incantations of Snortsam, which
could block *specific* traffic for certain output plugin modules.

Current Snortsam functionality, with plugin support in barnyard2 (no
more snort source patching) can be used to block the source IP
(unilaterally).  So you would block the attacking IP across the board of
protocols/destinations.  We do this on our inbound SMTP (to detect
spamming / farming) as well as outbound (compromised hosts used to send
spam).

Jeff





More information about the Snort-users mailing list