Patrick,
The TCP probes won't cause an IP to be blocked. Black
ice will confuse you by showing the IP blocked and it
LOOKS like it was from the probes but that isn't the
case. They would have to have triggered some other
event, like the bad email address event, to trigger a
block. TCP probe reporting is informational only - no
block will happen from it regardless of count.
Interestingly, the ev1.net (everyone net) servers were
probing my servers hundreds of times throughout the
day. I'm talking seeing probe counts of 600 - 700
times within an hour.
I'd block one IP that was scanning me, via our
firewall, and another IP from ev1.net would start
right up. Finally, I ended up blocking all of their
IPs. I don't know what they have going on but they
either have compromised servers or play host to some
unsavory folks.
The other item that I believe, and I'm not certain on
this, may trigger an "IP PROBE" warning in black ice
is when an email server is verifying sender. In imail
there is a setting that tells the server to verify the
sender has an account on their sending server. I
believe this is done via a secondary tcp connection
back to the sending server. I think what we're seeing
in black ice is the recipient server, that we are
sending to, verifying the user account resides on our
server. So I believe tcp probe counts of 5 - 10 from
a particular domain are normal. But when you see a
few hundred, those are actually scans.
Also, there is software available that can be used to
verify email accounts on servers. I think they make
an smtp connection and as soon as they get a valid or
invalid recipient the connection is dropped or a new
one initiated for another mail account. Companies
sell this software for verifying good addresses on
your email list. I think this may be the source of
some of the blank emails people complain about.
Anyone have any thoughts on this or am I way off the
mark? It may show up as probes, too. I don't know.
===============================
----- Original Message -----
From: "Patrick Burm" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 22, 2004 6:00 PM
Subject: Re: [IMail Forum] Dictionary attacks and TCP
Probes?
I don't know how many people saw this thread like me
and decided to
give this black ice thing a try. Working
great....thanks Cycle Rider
for this wonderful undocumented info.
Has anyone else run into small offices connecting via
DSL or otherwise
with lots of users logging in an out legitimately
being incorrectly
identified as TCP_Probe_SMTP and TCP_Probe_POP3.
I had 2 small offices end up getting banned, and from
what I can tell
it was all legitimate traffic.
I since trusted their IP to get around the problem,
but their IP
addresses are only semi-static, so I will run into
this again. Wanted
to see if Cycle Rider or anyone else knows how to
tweak the Probe
issue to either make it more tolerant, or more accurate.
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
