If it is going on all the time, use the command line and issue: netstat -b
which will show you the executable name and the connection. If you need to narrow down the TCP connection over a longer period of time, use the free TCPView from Sysinternals dot com (now a Microsoft Technet site). Perhaps someone else will have an opinion on a good host based firewall for an email server. Andrew. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Howard Smith (N.O.R.A.D.) > Sent: Friday, January 04, 2008 11:55 AM > To: [email protected] > Subject: RE: [Declude.JunkMail] Blackice Server EndOfLife - > need replacement > > To replace blackice functions as to load on a server and > monitor and block > what applications sends out on individual ports . I have an > offending app or > task that trying to send out on random ports , I am trying to > find it and > block it > > > Howard Smith > N.O.R.A.D. Inc. > P.O. Box 680116 > Miami, Florida 33168 > www.norad.com > www.securetrek.com > www.siteshuttle.com > www.audiovideotrek.com > [EMAIL PROTECTED] > Office - (305) NETWORK (638-9675) > Sales - (786) 206-0045 > Fax 1 - (305) 359-5144 > > > Confidentiality Notice: This email message, including any > Attachments, is > for the sole use of the intended recipient(s) and may contain > confidential > and privileged information. Any unauthorized review, use, > disclosure or > distribution is prohibited. If you are not the intended > recipient, please > contact [EMAIL PROTECTED] by email and destroy all copies of > the original > message. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Matt > Sent: Friday, January 04, 2008 2:25 PM > To: [email protected] > Subject: Re: [Declude.JunkMail] Blackice Server Settings > > In relation to spam or in relation to security? > > My answers would be Alligate (on a separate server) and a firewall, > respectively. > > Matt > > > > Howard Smith (N.O.R.A.D.) wrote: > > ISS no longer supports blackice and it is no longer in > production , what > > are users replacing it with ? > > > > > > Howard Smith > > . > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dave > > Beckstrom > > Sent: Wednesday, September 27, 2006 5:58 PM > > To: [email protected] > > Cc: [EMAIL PROTECTED] > > Subject: [Declude.JunkMail] Blackice Server Settings > > > > I've gotten some requests to post the information on how to > use Blackice > > Server to block email harvesting attacks. So here it is! > > > > > > Before you install Blackice Server you must turn Data > Execution Prevention > > OFF on your server. Blackice and DEP will not coexist. On > your server > > right click on "MY COMPUTER" then go to properties and then go to > advanced. > > Under performance, select the SETTINGS button and then > click on the Data > > Execution Prevention tab. If DEP is listed as enabled for anything, > remove > > it for the listed services. > > > > Next, you can install Blackice. > > > > When you install Blackice server you should install it with > the trusting > > mode enabled to allow all inbound traffic. I believe it > asks you what you > > want when you install Blackice. I don't recall for sure if > it does or not > > because it has been several years since I installed it. > If it doesn't > ask > > you the protection level that you want, after you install > blackice you can > > go into the GUI and go to the firewall tab and under > protection level you > > can select "trusting: allow all inbound traffic" > > > > Blackice should run without causing you any trouble so you > should have > time > > to complete the other configuration items. The whole install and > > configuration only took me about 15 minutes. I installed it on a > dedicated > > email server. I don't have any experience with Blackice on a server > running > > other stuff besides email and webmail. > > > > Also, you can always stop the Blackice service if you hit a problem. > > Blackice does its thing by watching traffic across the > network card. If > you > > stop Blackice then its effectively as if Blackice isn't > installed on the > > server. When the service is stopped Blackice is gone and > all is back as > it > > was before. > > > > Attached is the issuelist.csv file which comes with Blackice server. > > Blackice uses this file as a database of different types of > attacks. Line > > 227 had to be modified to indicate an action of IP|RST. > The IP|RST tells > > Blackice to block the IP of the attacker as the action to > take. Ignore > the > > comments to the far right of line 227. The comments say to > block the > > attacker if they attempt to send email to 10 non-existent > email addresses > > within 120 seconds. The QTY/Timeframe is actually > specified elsewhere. > All > > you need to change in this file is to add IP|RST to line 227. The > attached > > file already has the change. It is from the most current version if > > Blackice so if you just bought Blackice you can move the > attached file > into > > the Blackice directory and you're good to go. > > > > Next, in the Blackice GUI you'll want to go to the firewall > tab and put a > > checkmark in front of "Enable Auto Blocking" The GUI updates the > > firewall.ini file to tell Blackice that auto-blocking is > enabled. The > line > > in my firewall.ini is the following: > > > > auto-blocking = enabled, 2000, BIgui > > > > Next, go to the blackice.ini file and manually edit it to add the > following > > 4 lines: > > > > > > smtp.error.count=6 > > smtp.error.interval=30 > > pam.smtp.error.count=6 > > pam.error.interval=30 > > > > > > The above settings in blackice.ini tells Blackice that if > it detects an > > attempt to send to 6 non-existent email addresses within 30 > seconds then > it > > should activate the Email_Error action in line 227 of > issuelist.csv. We > set > > the action to be IP|RST (in issuelist.csv) which specifies > that the IP > > should be blocked. So if the QTY/Timeframe is met, the IP > is blocked. > The > > block of the IP will automatically go away after a > specified time. This > is > > good because an IP is never permanently blocked forever. > > > > I believe the IP is removed from the blocklist after 24 > hours. I have to > > find where you specify the length of time that the IP should remain > blocked. > > I'll post that when I find it. > > > > Also, on those 4 config lines above you can obviously choose how > aggressive > > you want to be at blocking email harvesting by setting a different > > error.count and error.interval. I figured 6 attempts at > bad addresses in > 30 > > seconds was most certainly someone trying to guess email > addresses on our > > servers. > > > > > > Another thing that you will want to do is go into the > Blackice GUI and go > to > > the intrusion detection tab. Here you will want to add > your internal and > > external IP addresses as ranges of IP addresses that you > want to trust. > > > > If Blackice ever blocks an IP that shouldn't be blocked > (say some customer > > who isn't well-behaved but who is still a customer), > through the GUI you > can > > right click on your customer's info in the EVENTS tab and > then select the > > option to trust and accept them. This will prevent them > from ever being > > automatically blocked by Blackice. > > > > I know the above is a bit to digest but don't let it scare > you. Blackice > > is a simple install and you can literally have it installed > and running > and > > blocking email harvesting in about 15 minutes. > > > > Some other advantages is that Blackice has a directory > where it places a > > text file with the IP of the attacker as part of the > filename. Over time, > > you will see patterns of IPs by just looking at the > filenames. If there > is > > a range of IPs that seem to be attacking your servers you > can then go > block > > them at your firewall. Blackice will also show you in its > online GUI all > of > > the attackers and errors they generated. If I see that > someone has port > > scanned us a couple hundred times I may go block them at > the firewall to > > stop them from profiling our servers. If you look at the > issuelist.csv, > you > > can see that you can also use Blackice to handle a vast > number of other > > types of attacks. I only use it for the email address > harvesting, but it > > could be used to do a whole lot more. > > > > At $300 it's a cheap solution. I very seldom ever look at > Blackice. It > > just does its thing and I forget its even there most of the time! > > > > I wrote most of this from memory and I don't believe I > missed anything. If > > you're going to install Blackice, feel free to email me and > tell me the > time > > and date you plan to install it. I'll email you my phone > number and if you > > should hit a problem you can give me a call and I 'll walk > you through it. > > > > Good luck. > > > > Dave > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
