Re: SMTP Backscatter

[waldo kitty <wkitty42 () windstream net>]

On 2/16/2014 9:54 AM, Dave Corsello wrote:
> Guys, thanks, but I don't need advice on setting up SMTP--at least not
> in this situation.  Just looking for an answer to the following:  Can
> Snort somehow: 1) detect an outgoing 450 4.1.1 error;

yes, it can easily do this...

> and in response, 2) block all incoming SMTP traffic from the sender IP for a
> period of time?

i'm not aware of this ever having been done... *I* do it in my active response 
system but it requires that the system have a way of knowing to reverse the IPs 
and then for it to reverse them during its processing where in the end it issues 
iptables rules to block the remote site... a feature is that at some point in 
the future, the block expires and is removed from iptables...

my response system is a perl 'app' that monitors the default snort ALERT file... 
one can easily code up something similar and create the necessary custom rule(s) 
for snort to use... if you are interested in more details and doing some coding, 
you may contact me offlist if you like...

> A 450 4.1.1 error means "recipient address rejected: unverified
> address: mailbox full or unavailable".  In this case, I'm sending out
> 450 errors because messages are being addressed to random, invalid
> accounts on my domain.  As was suggested, it might be best to just let
> SMTP continue to handle this.  But I view it as an attack of sorts, and

it pretty much is... especially when it might be escalated into a (D)DOS...

> my preference would be to stop it as far out on my perimeter as
> possible.  My apologies in advance if this question exposes ignorance of
> some Snort basics...

its all good ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!