Update, upon further review, I "Think" that once another rule has got them blocked, further legitimate traffic shows up as a probe. So it may have worked as advertised. I think both of these offices have a virus that is causing too many undeliverables to themselves, and therefore tripped the other issue, and only then did the "probes" start happening.
On Mon, 22 Nov 2004 16:00:17 -0700, Patrick Burm <[EMAIL PROTECTED]> wrote: > I don't know how many people saw this thread like me and decided to > give this black ice thing a try. Working great....thanks Cycle Rider > for this wonderful undocumented info. > > Has anyone else run into small offices connecting via DSL or otherwise > with lots of users logging in an out legitimately being incorrectly > identified as TCP_Probe_SMTP and TCP_Probe_POP3. > > I had 2 small offices end up getting banned, and from what I can tell > it was all legitimate traffic. > > I since trusted their IP to get around the problem, but their IP > addresses are only semi-static, so I will run into this again. Wanted > to see if Cycle Rider or anyone else knows how to tweak the Probe > issue to either make it more tolerant, or more accurate. > > > > > On Wed, 17 Nov 2004 16:57:44 -0800 (PST), Cycle Rider <[EMAIL PROTECTED]> > wrote: > > > Ted said... > > >We run BlackIce here to but our lets the dictionary > > attacks attacks just happen. Did you alter something > > somewhere to make it stop them? > > > > > > Yes, open the issuelist.csv file in excel. Find the > > line for "Email_Error" and change what is under the > > excel column "D" heading to say "IP|RST" > > > > My issuelist.csv file says the following: > > > > 2001015 Email_Error 0 IP|RST -1 1 > > > > Then go into your blackice.ini file and under the > > [settings} section add these lines: > > > > smtp.error.count=3 > > smtp.error.interval=30 > > pam.smtp.error.count=3 > > pam.error.interval=30 > > > > The count is the number of bad email address attempts. > > > > The interval is the number of seconds. > > > > If someone trys to send email to us and hits 3 > > non-existent email addresses within 30 seconds it will > > block their IP. That value is low but we are under > > constant attack. As I metioned, we have had over > > 28,000 IPs blocked within just a couple of weeks. My > > logs are continually showing these attempts to guess > > emaila addresses. Blackice is our ownly defense and > > it is superb! > > > > You can control how long their IP remains blocked by > > going into the firewall.ini file and adding the > > following lines: > > > > [PARMS] > > auto-blocking = enabled, 0, unknown > > auto-blocking.timeout = 3600, 9000, unknown > > > > The first line enables auto blocking. The second line > > says to block the IP for 3600 seconds (or 1 hour) then > > remove the block. > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > The all-new My Yahoo! - Get yours free! > > http://my.yahoo.com > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
