RE: [Declude.JunkMail] Blackice Server Settings
Wow, I posted those instructions a long time ago. I didn't know so many people ended up running blackice! I have no plans to replace blackice until a server upgrade means it won't run any more. Hopefully that won't be for several years. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Friday, January 04, 2008 12:59 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Blackice Server Settings ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of Enable Auto BlockingThe GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go
RE: [Declude.JunkMail] Blackice Server Settings
ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of Enable Auto BlockingThe GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI you can right click on your customer's info in the EVENTS tab and then select the option to trust and accept them. This will prevent them from ever being automatically blocked by Blackice. I know the above is a bit to digest but don't let it scare you. Blackice is a
Re: [Declude.JunkMail] Blackice Server Settings
In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of Enable Auto BlockingThe GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI you can right click on your customer's info in the EVENTS tab and then select the option to
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of Enable Auto BlockingThe GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies
Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
If it is going on all the time, use the command line and issue: netstat -b which will show you the executable name and the connection. If you need to narrow down the TCP connection over a longer period of time, use the free TCPView from Sysinternals dot com (now a Microsoft Technet site). Perhaps someone else will have an opinion on a good host based firewall for an email server. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Smith (N.O.R.A.D.) Sent: Friday, January 04, 2008 11:55 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
The best part of Black Ice is it's easy to read interface to see what hitting the server. I will continue to use it just for that purpose, with an ACL in the router ahead of the server to do the heavy lifting of access control. It is an effective blocker for UDP port probes, when used in conjunction with an ACL which blocks the TCP and IP port probes, so an outsider cannot execute anything. On the other side, I would never use a software application on the server as the primary defense...been there, done that years ago when the Witty.A virus struck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 12:21 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
We too use Black Ice with great success (except Windows 2003R2 will not install and run). The replacement is IMP Proventia and very expensive at about $700 per server. We are also looking for a more cost-effective replacement. -Don From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Sent: Friday, January 04, 2008 3:47 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement The best part of Black Ice is it's easy to read interface to see what hitting the server. I will continue to use it just for that purpose, with an ACL in the router ahead of the server to do the heavy lifting of access control. It is an effective blocker for UDP port probes, when used in conjunction with an ACL which blocks the TCP and IP port probes, so an outsider cannot execute anything. On the other side, I would never use a software application on the server as the primary defense...been there, done that years ago when the Witty.A virus struck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 12:21 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound
RE: [Declude.JunkMail] Blackice Server Settings
Dave, Could you post the settings for Blackice? It looks like the list does accept attachments. Thanks, From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 21, 2006 2:00 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings Im leaving town in a little bit and I wont be back until Sunday. If someone reminds me on Sunday or Monday Id be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
Nice! Thanks Dave. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 11:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on MY COMPUTER then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select trusting: allow all inbound traffic Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of Enable Auto BlockingThe GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI you can right click on your customer's info in the EVENTS tab and then select the option to trust and accept them. This will prevent them from ever being automatically blocked by Blackice. I know the above is a bit to digest but don't let it scare you. Blackice is a simple
RE: [Declude.JunkMail] Blackice Server Settings
In the past this list would accept attachments. I havent seen any lately though. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 21, 2006 2:00 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings Im leaving town in a little bit and I wont be back until Sunday. If someone reminds me on Sunday or Monday Id be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833toll free 978.499.2933office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Monday, September 25, 2006 10:53 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings In the past this list would accept attachments. I havent seen any lately though. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 21, 2006 2:00 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings Im leaving town in a little bit and I wont be back until Sunday. If someone reminds me on Sunday or Monday Id be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. this is an attachment --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
Im leaving town in a little bit and I wont be back until Sunday. If someone reminds me on Sunday or Monday Id be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice
Well, an uninstall and re-install of BlackICE seems to have fixed my issue. I had already taken it off of the server by the time I got the last DNS suggestion, so I re-installed it to test it. I haven't seen any processes backing up since. And, by the way, it is working excellently at autoblocking dictionary attacks. I recommend it to any Declude user who wants a way of blocking Dictionary attacks for a relatively low cost. At least those who don't have the time (or the bosses' permission in my case, he is blindly anti-Linux) to set up an IMGate box. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Friday, November 19, 2004 12:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Blackice Thanks for the tip, but I never took it off of Trusted. Still, I will test that and see. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason @ AreaTech Sent: Friday, November 19, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Blackice Could be a DNS issue. Make sure that you can perform DNS lookups from that box since you've set your settings to paranoid in BI. Jason - Original Message - From: Dan Horne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 19, 2004 10:36 AM Subject: [Declude.JunkMail] Blackice Is anyone here running both Blackice and Declude? After running both for about 20 minutes, all 4 processors on my server were pegged at 100%. Task manager was filled with about 20-30 Declude.exe's, many instances of Sniffer, many instances of SPAMCHK.exe, etc. A reboot of the server and the same behavior (this time it didn't take 20 minutes, either, it was almost instantaneous on boot). Dan Horne Web Services Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blackice
Is anyone here running both Blackice and Declude? After running both for about 20 minutes, all 4 processors on my server were pegged at 100%. Which process(es) were using up the 100% CPU? Specifically, if you click on the Processes tab in Task Manager, then click on the CPU button, which process(es) are at the top? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice
Declude.exe. 4 instances said 25% each, and the rest of the many Declude processes were at 0. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, November 19, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Blackice Is anyone here running both Blackice and Declude? After running both for about 20 minutes, all 4 processors on my server were pegged at 100%. Which process(es) were using up the 100% CPU? Specifically, if you click on the Processes tab in Task Manager, then click on the CPU button, which process(es) are at the top? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice
Oh, yeah, and blackice was way down the list showing 0%. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, November 19, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Blackice Is anyone here running both Blackice and Declude? After running both for about 20 minutes, all 4 processors on my server were pegged at 100%. Which process(es) were using up the 100% CPU? Specifically, if you click on the Processes tab in Task Manager, then click on the CPU button, which process(es) are at the top? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice
Thanks for the tip, but I never took it off of Trusted. Still, I will test that and see. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason @ AreaTech Sent: Friday, November 19, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Blackice Could be a DNS issue. Make sure that you can perform DNS lookups from that box since you've set your settings to paranoid in BI. Jason - Original Message - From: Dan Horne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 19, 2004 10:36 AM Subject: [Declude.JunkMail] Blackice Is anyone here running both Blackice and Declude? After running both for about 20 minutes, all 4 processors on my server were pegged at 100%. Task manager was filled with about 20-30 Declude.exe's, many instances of Sniffer, many instances of SPAMCHK.exe, etc. A reboot of the server and the same behavior (this time it didn't take 20 minutes, either, it was almost instantaneous on boot). Dan Horne Web Services Administrator TAIS Web Wilcox World Travel Tours [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BlackIce
We lost 16 Servers. - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 21, 2004 9:50 PM Subject: RE: [Declude.JunkMail] BlackIce We had a single Colo'd server fall ill to this vulnerability on Friday night. It wasn't a pretty sight to say the least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, March 21, 2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] BlackIce Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
OT: Re: [Declude.JunkMail] BlackIce
If you have 16 servers then you need to invest in a real firewall. You can get a good hardware firewall for $900 - $3000. Look at: www.sonicwall.com www.servgate.com The ServGate Edgeforce is a nice unit and can be upgraded to do virus scanning. The also won PC Mag Editors choice award this month. Good luck. Todd At 10:43 AM 3/22/2004 -0500, you wrote: We lost 16 Servers. - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 21, 2004 9:50 PM Subject: RE: [Declude.JunkMail] BlackIce We had a single Colo'd server fall ill to this vulnerability on Friday night. It wasn't a pretty sight to say the least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, March 21, 2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] BlackIce Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re: [Declude.JunkMail] BlackIce
Sorry to hear about your troubles. We keep everything closed and only open the port for each specific IP that we need. We dont use the PIX so I am not familiar with them, but security should be at the edge of your network in your firewall. If setup properly you should not need the BlackIce. Todd At 11:44 AM 3/22/2004 -0500, you wrote: Have one. PIX. Problem is we had port 4000 open thought is was harmless. - Original Message - From: Todd Hunter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 22, 2004 5:13 AM Subject: OT: Re: [Declude.JunkMail] BlackIce If you have 16 servers then you need to invest in a real firewall. You can get a good hardware firewall for $900 - $3000. Look at: www.sonicwall.com www.servgate.com The ServGate Edgeforce is a nice unit and can be upgraded to do virus scanning. The also won PC Mag Editors choice award this month. Good luck. Todd At 10:43 AM 3/22/2004 -0500, you wrote: We lost 16 Servers. - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 21, 2004 9:50 PM Subject: RE: [Declude.JunkMail] BlackIce We had a single Colo'd server fall ill to this vulnerability on Friday night. It wasn't a pretty sight to say the least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, March 21, 2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] BlackIce Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re: [Declude.JunkMail] BlackIce
I was always bothered by those posts that stated I am using a software firewall on the server itself and that is fine. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Todd Hunter Sent: Monday, March 22, 2004 2:14 AM To: [EMAIL PROTECTED] Subject: OT: Re: [Declude.JunkMail] BlackIce If you have 16 servers then you need to invest in a real firewall. You can get a good hardware firewall for $900 - $3000. Look at: www.sonicwall.com www.servgate.com The ServGate Edgeforce is a nice unit and can be upgraded to do virus scanning. The also won PC Mag Editors choice award this month. Good luck. Todd At 10:43 AM 3/22/2004 -0500, you wrote: We lost 16 Servers. - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 21, 2004 9:50 PM Subject: RE: [Declude.JunkMail] BlackIce We had a single Colo'd server fall ill to this vulnerability on Friday night. It wasn't a pretty sight to say the least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, March 21, 2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] BlackIce Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re: [Declude.JunkMail] BlackIce
We use PIX firewalls. As Todd said, the idea is to block everything by default, then open up what you specifically need. Then you just have to keep up with the critical patches for the services you have open. As far as I know, no exploit has come out sooner than a month after a patch for the security hole was released. That will likely change in the future, so patch/update management is going to become a much more onerous task than it already is. Anything we can do to minimize the security risks up front, we should. It may even become necessary to start applying patches automatically in the future, but this is a dangerous policy at present. Darin. - Original Message - From: Todd Hunter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 22, 2004 6:08 AM Subject: Re: Re: [Declude.JunkMail] BlackIce Sorry to hear about your troubles. We keep everything closed and only open the port for each specific IP that we need. We dont use the PIX so I am not familiar with them, but security should be at the edge of your network in your firewall. If setup properly you should not need the BlackIce. Todd At 11:44 AM 3/22/2004 -0500, you wrote: Have one. PIX. Problem is we had port 4000 open thought is was harmless. - Original Message - From: Todd Hunter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 22, 2004 5:13 AM Subject: OT: Re: [Declude.JunkMail] BlackIce If you have 16 servers then you need to invest in a real firewall. You can get a good hardware firewall for $900 - $3000. Look at: www.sonicwall.com www.servgate.com The ServGate Edgeforce is a nice unit and can be upgraded to do virus scanning. The also won PC Mag Editors choice award this month. Good luck. Todd At 10:43 AM 3/22/2004 -0500, you wrote: We lost 16 Servers. - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 21, 2004 9:50 PM Subject: RE: [Declude.JunkMail] BlackIce We had a single Colo'd server fall ill to this vulnerability on Friday night. It wasn't a pretty sight to say the least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, March 21, 2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] BlackIce Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail
RE: [Declude.JunkMail] BlackIce
Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] BlackIce
We had a single Colo'd server fall ill to this vulnerability on Friday night. It wasn't a pretty sight to say the least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, March 21, 2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] BlackIce Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.