I use those same settings. But in addition, you can configure BlackICE to auto-block the "too many smtp errors" event (dictionary attack) by editing your issuelist.csv file.
Look for this line: 2001015,SMTP too many errors,0,agg,-1,7,,Spam,The SMTP.... And change the "agg" to "IP|RST": 2001015,SMTP too many errors,0,IP|RST,-1,7,,Spam,The SMTP.... This will tell BlackICE to auto-block the offending IP Address for 24 hours. Don't expect the people at ISS to support this though. They urged me not to edit that file when I asked. But it does work. Bill -----Original Message----- From: Roger Heath Sent: Thu, 23 Jan 2003 16:50:21 -0600 Subject: Re[2]: [Declude.JunkMail] OT: Dictionary Attacks Reply to: Don Schreiner Re: [Declude.JunkMail] OT: Dictionary Attacks on Thursday 11:51:25 AM >From an earlier msg: Our servers are very stable with this firewall. It does not autoblock these but you can manually block them. I noticed that they do not show up in the log any more, so it appears to work fine. I know you can set to autoblock select events by editing the blackice.ini can be edited for example: http.urllimit.count=60 http.urllimit.interval=50 will temporarily block too many URL requests, like web site copying... These are the settings to block dictionary attacks. It detects too many errors brought on by many failed logins... [Settings] smtp.error.count=10 ;total errors within smtp.error.interval=120 ;this amount of time(sec)then blocked -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com ----- Copy of Original Message(s): ----- D> Bill, D> Also running BI as of few weeks ago and tinkering with firewal.ini. D> Would you mind sharing the .ini changes you made. You can e-mail me off D> list. Thanks. D> Sincerely, D> Don Schreiner D> CompBiz, Inc. D> www.compbiz.net D> 407-322-8654 D> 800-408-3688 D> -----Original Message----- D> From: [EMAIL PROTECTED] D> [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B. D> Sent: Thursday, January 23, 2003 12:16 PM D> To: [EMAIL PROTECTED] D> Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks D> We started running BlackICE last month and it has been working nice for D> us. It requires a few config changes to get it to auto-block IPs that D> send you dictionary attacks, but it is definitely a good solution. D> Bill D> -----Original Message----- D> From: "R. Scott Perry" D> Sent: Thu, 23 Jan 2003 10:58:09 -0500 D> Subject: Re: [Declude.JunkMail] OT: Dictionary Attacks >>It seems this morning that we have several dictionary attacks happening >>on one of Imail servers. Is there an easy to stop the person doing >>this? I have looked through the log files and cannot easily spot the >>person(s) doing this. >> >>Is there software that will prevent people from performing Dictionary >>Attacks in the future? >> >>The POP3 and Delcude processes are using like 50-09% of the CPU. >> >>Let me know if there is anything I can do... D> Are you sure that it is a dictionary attack? If the POP3 process has D> higher usage than normal, then E-mails are being sent to your users D> (which D> would mean that it either isn't a dictionary attack, or a hybrid attack D> where they send spam as part of the dictionary attack). D> You might want to check the archives of the IMail Forum for ideas on how D> to D> stop a dictionary attack. Some tricks are using a "nobody" alias (which D> I D> believe you are), or using a product like BlackIce Server to stop it. D> Unfortunately, Declude can't stop these, because it doesn't have access D> to D> the TCP/IP connection (which is where it would need to be stopped). D> -Scott D> --- D> [This E-mail was scanned for viruses by Declude Virus D> (http://www.declude.com)] D> --- D> This E-mail came from the Declude.JunkMail mailing list. To D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type D> "unsubscribe Declude.JunkMail". The archives can be found at D> http://www.mail-archive.com. D> --- D> [This E-mail was scanned for viruses by Declude Virus D> (http://www.declude.com)] D> --- D> This E-mail came from the Declude.JunkMail mailing list. To D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type D> "unsubscribe Declude.JunkMail". The archives can be found at D> http://www.mail-archive.com. D> ---------- D> Scanned by CompBiz for Viruses http://www.CompBiz.Net. D> Save 15 Percent on Virus Software by visiting D> http://www.compbiz.net/software_mcafee.cfm for details! D> --- D> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] D> --- D> This E-mail came from the Declude.JunkMail mailing list. To D> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and D> type "unsubscribe Declude.JunkMail". The archives can be found D> at http://www.mail-archive.com. D> -- D> ActivatorMail(tm) ver.122102 Scanned for all viruses by D> www.activatormail.com intelligent anti-virus anti-spam service -- ActivatorMail(tm) ver.122102 Scanned for all viruses by www.activatormail.com intelligent anti-virus anti-spam service --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.