Cycle Rider, This has worked out pretty awesome until we had a client making a legitimate mistake where he did a reply to an email where someone had put a name rather than an email address. After trying 3 times in rapid succession he was blocked for 24 hours.
My question would be what to tweak in order to change the 24 hours to only one hour? I feel that this would make dictionary attacks not worthwhile while not inadvertently blocking a client for a long time. I am hesitant to just experiment or fiddle with it trying to produce the proper result since it's live with all of our clients on it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cycle Rider Sent: Wednesday, November 17, 2004 4:58 PM To: [EMAIL PROTECTED] Subject: RE: [IMail Forum] Dictionary attacks and TCP Probes? > Ted said... >We run BlackIce here to but our lets the dictionary attacks attacks just happen. Did you alter something somewhere to make it stop them? Yes, open the issuelist.csv file in excel. Find the line for "Email_Error" and change what is under the excel column "D" heading to say "IP|RST" My issuelist.csv file says the following: 2001015 Email_Error 0 IP|RST -1 1 Then go into your blackice.ini file and under the [settings} section add these lines: smtp.error.count=3 smtp.error.interval=30 pam.smtp.error.count=3 pam.error.interval=30 The count is the number of bad email address attempts. The interval is the number of seconds. If someone trys to send email to us and hits 3 non-existent email addresses within 30 seconds it will block their IP. That value is low but we are under constant attack. As I metioned, we have had over 28,000 IPs blocked within just a couple of weeks. My logs are continually showing these attempts to guess emaila addresses. Blackice is our ownly defense and it is superb! You can control how long their IP remains blocked by going into the firewall.ini file and adding the following lines: [PARMS] auto-blocking = enabled, 0, unknown auto-blocking.timeout = 3600, 9000, unknown The first line enables auto blocking. The second line says to block the IP for 3600 seconds (or 1 hour) then remove the block. __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
