Snort mailing list archives
Re: SMTP Backscatter
From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 16 Feb 2014 10:25:18 -0500
On 2/16/2014 9:54 AM, Dave Corsello wrote:
Guys, thanks, but I don't need advice on setting up SMTP--at least not in this situation. Just looking for an answer to the following: Can Snort somehow: 1) detect an outgoing 450 4.1.1 error;
yes, it can easily do this...
and in response, 2) block all incoming SMTP traffic from the sender IP for a period of time?
i'm not aware of this ever having been done... *I* do it in my active response system but it requires that the system have a way of knowing to reverse the IPs and then for it to reverse them during its processing where in the end it issues iptables rules to block the remote site... a feature is that at some point in the future, the block expires and is removed from iptables... my response system is a perl 'app' that monitors the default snort ALERT file... one can easily code up something similar and create the necessary custom rule(s) for snort to use... if you are interested in more details and doing some coding, you may contact me offlist if you like...
A 450 4.1.1 error means "recipient address rejected: unverified address: mailbox full or unavailable". In this case, I'm sending out 450 errors because messages are being addressed to random, invalid accounts on my domain. As was suggested, it might be best to just let SMTP continue to handle this. But I view it as an attack of sorts, and
it pretty much is... especially when it might be escalated into a (D)DOS...
my preference would be to stop it as far out on my perimeter as possible. My apologies in advance if this question exposes ignorance of some Snort basics...
its all good ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SMTP Backscatter Dave Corsello (Feb 14)
- Re: SMTP Backscatter Jason Haar (Feb 15)
- Re: SMTP Backscatter waldo kitty (Feb 15)
- Re: SMTP Backscatter Dave Corsello (Feb 16)
- Re: SMTP Backscatter waldo kitty (Feb 16)
- Re: SMTP Backscatter Jeff Kell (Feb 16)
- Re: SMTP Backscatter waldo kitty (Feb 16)
- Message not available
- Message not available
- Re: SMTP Backscatter Dave Corsello (Feb 18)
- Re: SMTP Backscatter waldo kitty (Feb 18)
- Re: SMTP Backscatter waldo kitty (Feb 15)
- Re: SMTP Backscatter Jason Haar (Feb 15)