This is an example only and be very careful with settings, as you can block legitimate IP's for a period of time. For example, I would suggest adjusting the block time to suite your needs (i.e. 1-12 hours) on dictionary attacks. You may also want to up the count on the interval time too. Also, your BI log files can grow huge which can affect server performance (defrag and/or move often), so be careful there too.
Go into your blackice.ini file and under the [settings} section add these lines: smtp.error.count=3 smtp.error.interval=30 pam.smtp.error.count=3 pam.error.interval=30 The count is the number of bad email address attempts. The interval is the number of seconds. If someone trys to send email and hits 3 non-existent email addresses within 30 seconds it will block their IP. You can control how an IP remains blocked by going into the firewall.ini file and adding the following lines: [PARMS] auto-blocking = enabled, 0, unknown auto-blocking.timeout = 3600, 9000, unknown The first line enables auto blocking. The second line says to block the IP for 3600 seconds (or 1 hour) then remove the block. -Don -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Bahrami Sent: Wednesday, February 16, 2005 1:53 AM To: [email protected] Subject: RE: [IMail Forum] Auto deny IP's after x amount of unknown user??? I have black ice server installed. It seems like it will do what I need, but I can't for the life of me figure out where to edit pam.smtp.error.count. Can anyone please help point me in the right direction? Thank you, Barry Bahrami Commercial Network Services www.CommercialNetworkServices.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matrosity Tech Support Sent: Wednesday, February 09, 2005 7:14 PM To: [email protected] Subject: Re: [IMail Forum] Auto deny IP's after x amount of unknown user??? BlackIce Defender Server will do this but it's undocumented. Search the list archives and you'll find all the details. Barry Bahrami wrote: >Below is an Imail server log of a spammer hacking email accounts to >send junk to (@spammedomain.com). It's obvious this person is trying >every possible name @spammeddomain.com. I see this all the time. It >is hell on people with nobody aliases setup. > >Is there anything I can do to have Imail automatically reject the >senders IP after x amount of invalid user's during a n minute window??? > >Thank you, > >Barry Bahrami >Commercial Network Services >www.CommercialNetworkServices.com > >-----Original Message----- >20050209 172849 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172849 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172849 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172849 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172849 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172851 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172851 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172851 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172851 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172852 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172853 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172854 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172855 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172855 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172855 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172855 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172856 127.0.0.1 SMTPD (17950092) [68.107.113.200] MAIL FROM: ><[EMAIL PROTECTED]> >20050209 172856 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172856 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172856 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172856 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172856 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172856 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172857 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172858 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172858 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172858 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172858 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172858 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172858 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172859 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172900 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172900 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172900 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172900 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172901 127.0.0.1 SMTPD (17950092) [68.107.113.200] MAIL FROM: ><[EMAIL PROTECTED]> >20050209 172901 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172901 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172901 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172901 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172901 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172901 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172902 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172903 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] >20050209 172904 127.0.0.1 SMTPD (17950092) [68.107.113.200] RCPT TO: ><[EMAIL PROTECTED]> >20050209 172904 127.0.0.1 SMTPD (17950092) [68.107.113.200] ERR >mymailserver.com invalid user <[EMAIL PROTECTED] > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html >List Archive: >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ ------------------------------ CompBiz.Net scanned for Virus' To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
