I don't know how many people saw this thread like me and decided to give this black ice thing a try. Working great....thanks Cycle Rider for this wonderful undocumented info.
Has anyone else run into small offices connecting via DSL or otherwise with lots of users logging in an out legitimately being incorrectly identified as TCP_Probe_SMTP and TCP_Probe_POP3. I had 2 small offices end up getting banned, and from what I can tell it was all legitimate traffic. I since trusted their IP to get around the problem, but their IP addresses are only semi-static, so I will run into this again. Wanted to see if Cycle Rider or anyone else knows how to tweak the Probe issue to either make it more tolerant, or more accurate. On Wed, 17 Nov 2004 16:57:44 -0800 (PST), Cycle Rider <[EMAIL PROTECTED]> wrote: > > Ted said... > >We run BlackIce here to but our lets the dictionary > attacks attacks just happen. Did you alter something > somewhere to make it stop them? > > > Yes, open the issuelist.csv file in excel. Find the > line for "Email_Error" and change what is under the > excel column "D" heading to say "IP|RST" > > My issuelist.csv file says the following: > > 2001015 Email_Error 0 IP|RST -1 1 > > Then go into your blackice.ini file and under the > [settings} section add these lines: > > smtp.error.count=3 > smtp.error.interval=30 > pam.smtp.error.count=3 > pam.error.interval=30 > > The count is the number of bad email address attempts. > > The interval is the number of seconds. > > If someone trys to send email to us and hits 3 > non-existent email addresses within 30 seconds it will > block their IP. That value is low but we are under > constant attack. As I metioned, we have had over > 28,000 IPs blocked within just a couple of weeks. My > logs are continually showing these attempts to guess > emaila addresses. Blackice is our ownly defense and > it is superb! > > You can control how long their IP remains blocked by > going into the firewall.ini file and adding the > following lines: > > [PARMS] > auto-blocking = enabled, 0, unknown > auto-blocking.timeout = 3600, 9000, unknown > > The first line enables auto blocking. The second line > says to block the IP for 3600 seconds (or 1 hour) then > remove the block. > > > > > __________________________________ > Do you Yahoo!? > The all-new My Yahoo! - Get yours free! > http://my.yahoo.com > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
