Re[6]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
> I placed on a test machine and then trial on a production IMail server. I > really want this thing to work, but as I train and set-up, found that the > SMTP service stops and will not restart and getting a cannot find DLL and > SMTP. Sandy - have you experienced anything along this line? Nothing like that exactly, no. But you must make sure that anti-virus/anti-malware software is off during the install, and that you exempt the eEye folders and apps from heuristic scanning + detection after restart. NOD32 and AVG will both be hypersensitive to Blink; Blink's EXEs and DLLs may end up in quarantine unless they are excluded. Also -- the usual concept of no more than one memory-resident AV at once -- you should make sure Blink's anti-virus module is off. Off-list, let's work together to get it up. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude ??? Long Delay Processing?
On Jan 5, 2008, at 12:45 PM, Kevin Bilbee wrote: We have had this in the past. Look at your DNS server being used by declude. It can take a long time to process the DSN based tests if your DNS server is timing out. Debug mode should tell you if this is what is happening. The problem is intermittent, so I'll have to turn on debug mode when I see it happening. Our DNS server (Simple DNS Plus) is on the same machine, and it does not appear to have any delays in keeping up. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re[4]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
I placed on a test machine and then trial on a production IMail server. I really want this thing to work, but as I train and set-up, found that the SMTP service stops and will not restart and getting a cannot find DLL and SMTP. Sandy - have you experienced anything along this line? -Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Saturday, January 05, 2008 2:46 PM To: Craig Edmonds Subject: Re[4]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement > Can you use eEye's Blink on a mail server? O'course. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude ??? Long Delay Processing?
We have had this in the past. Look at your DNS server being used by declude. It can take a long time to process the DSN based tests if your DNS server is timing out. Debug mode should tell you if this is what is happening. Kevin Bilbee > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > David Dodell > Sent: Saturday, January 05, 2008 10:08 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] Declude ??? Long Delay Processing? > > > On Jan 5, 2008, at 10:49 AM, Richard Lyon wrote: > > > If you run sniffer, then try updating its rule file. I saw this > > problem with a corrupted sniffer rule file. > > I do automatically as soon as they come in which seems to be > several times a day > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
> Can you use eEye's Blink on a mail server? O'course. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude ??? Long Delay Processing?
On Jan 5, 2008, at 10:49 AM, Richard Lyon wrote: If you run sniffer, then try updating its rule file. I saw this problem with a corrupted sniffer rule file. I do automatically as soon as they come in which seems to be several times a day --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude ??? Long Delay Processing?
If you run sniffer, then try updating its rule file. I saw this problem with a corrupted sniffer rule file. On Jan 5, 2008, at 11:42 AM, David Dodell wrote: I'm trying to track down a problem, which I "think" might be in Declude. Here is the scenerio ... I'm noticing mail is taking 10 to 15 minutes to pass through our Imail / Declude system. Spent some time testing / reading logs this morning. I sent a message from my normal Imail account (via SMTP AUTH) to a gmail account I have for testing. It took almost 11 minutes to go from my domain to gmail (see headers) Received: by 10.82.114.10 with SMTP id m10cs870488buc; Sat, 5 Jan 2008 08:31:18 -0800 (PST) Received: by 10.114.168.1 with SMTP id q1mr2511797wae. 73.1199550676727; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from stat.com (stat.com [65.163.175.10]) by mx.google.com with ESMTP id k26si3555043waf.35.2008.01.05.08.31.10; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from [10.0.0.196] [130.13.94.94] by stat.com with ESMTP (SMTPD-9.23) id AE4C0368; Sat, 05 Jan 2008 09:20:28 -0700 When I look at the Imail log for the SMTP session, the mail is received via SMTP (SMTP AUTH shows on) ... and within a second is created into a SMD file that is placed in the \imail\spool directory. That was at 09:20 When I look in the declude logs, the SMD file is scanned at 09:31 (11 minutes later) and passes right thru because of the SMTP Auth = Whitelisted) So hints on where I should look, why it took 11 minutes from the file entering the spool, till Declude processed it, and then passes it through to the outbound queue for delivery. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude] [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Re:Declude ??? Long Delay Processing?
On Jan 5, 2008, at 10:03 AM, Darrell ([EMAIL PROTECTED]) wrote: The first thing to do is check and make sure you do not have a ton of files in your proc folder. This would indicate a queue backup. The next thing if your not having a ton of files in your proc is to kick the logs into debug mode and send a test message. Look through the debug log and find any issues like DNS tests timing out etc. Darrell thanks for the suggestions ... the proc folder was basically empty ... just about a 1/2 dozen files current date/time stamp being processed in and out. I've turned on the debug log for declude. The only problem, is this is intermittent. I just sent another couple of test messages to gmail, and they were delivered with 15 seconds ... so this problem is not happening all the time ... --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude ??? Long Delay Processing?
The first thing to do is check and make sure you do not have a ton of files in your proc folder. This would indicate a queue backup. The next thing if your not having a ton of files in your proc is to kick the logs into debug mode and send a test message. Look through the debug log and find any issues like DNS tests timing out etc. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: I'm trying to track down a problem, which I "think" might be in Declude. Here is the scenerio ... I'm noticing mail is taking 10 to 15 minutes to pass through our Imail / Declude system. Spent some time testing / reading logs this morning. I sent a message from my normal Imail account (via SMTP AUTH) to a gmail account I have for testing. It took almost 11 minutes to go from my domain to gmail (see headers) Received: by 10.82.114.10 with SMTP id m10cs870488buc; Sat, 5 Jan 2008 08:31:18 -0800 (PST) Received: by 10.114.168.1 with SMTP id q1mr2511797wae.73.1199550676727; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from stat.com (stat.com [65.163.175.10]) by mx.google.com with ESMTP id k26si3555043waf.35.2008.01.05.08.31.10; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from [10.0.0.196] [130.13.94.94] by stat.com with ESMTP (SMTPD-9.23) id AE4C0368; Sat, 05 Jan 2008 09:20:28 -0700 When I look at the Imail log for the SMTP session, the mail is received via SMTP (SMTP AUTH shows on) ... and within a second is created into a SMD file that is placed in the \imail\spool directory. That was at 09:20 When I look in the declude logs, the SMD file is scanned at 09:31 (11 minutes later) and passes right thru because of the SMTP Auth = Whitelisted) So hints on where I should look, why it took 11 minutes from the file entering the spool, till Declude processed it, and then passes it through to the outbound queue for delivery. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude ??? Long Delay Processing?
I'm trying to track down a problem, which I "think" might be in Declude. Here is the scenerio ... I'm noticing mail is taking 10 to 15 minutes to pass through our Imail / Declude system. Spent some time testing / reading logs this morning. I sent a message from my normal Imail account (via SMTP AUTH) to a gmail account I have for testing. It took almost 11 minutes to go from my domain to gmail (see headers) Received: by 10.82.114.10 with SMTP id m10cs870488buc; Sat, 5 Jan 2008 08:31:18 -0800 (PST) Received: by 10.114.168.1 with SMTP id q1mr2511797wae. 73.1199550676727; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from stat.com (stat.com [65.163.175.10]) by mx.google.com with ESMTP id k26si3555043waf.35.2008.01.05.08.31.10; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from [10.0.0.196] [130.13.94.94] by stat.com with ESMTP (SMTPD-9.23) id AE4C0368; Sat, 05 Jan 2008 09:20:28 -0700 When I look at the Imail log for the SMTP session, the mail is received via SMTP (SMTP AUTH shows on) ... and within a second is created into a SMD file that is placed in the \imail\spool directory. That was at 09:20 When I look in the declude logs, the SMD file is scanned at 09:31 (11 minutes later) and passes right thru because of the SMTP Auth = Whitelisted) So hints on where I should look, why it took 11 minutes from the file entering the spool, till Declude processed it, and then passes it through to the outbound queue for delivery. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
Wow, I posted those instructions a long time ago. I didn't know so many people ended up running blackice! I have no plans to replace blackice until a server upgrade means it won't run any more. Hopefully that won't be for several years. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard > Smith (N.O.R.A.D.) > Sent: Friday, January 04, 2008 12:59 PM > To: declude.junkmail@declude.com > Cc: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Blackice Server Settings > > ISS no longer supports blackice and it is no longer in production , what > are users replacing it with ? > > > Howard Smith > . > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Wednesday, September 27, 2006 5:58 PM > To: declude.junkmail@declude.com > Cc: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Blackice Server Settings > > I've gotten some requests to post the information on how to use Blackice > Server to block email harvesting attacks. So here it is! > > > Before you install Blackice Server you must turn Data Execution Prevention > OFF on your server. Blackice and DEP will not coexist. On your server > right click on "MY COMPUTER" then go to properties and then go to advanced. > Under performance, select the SETTINGS button and then click on the Data > Execution Prevention tab. If DEP is listed as enabled for anything, remove > it for the listed services. > > Next, you can install Blackice. > > When you install Blackice server you should install it with the trusting > mode enabled to allow all inbound traffic. I believe it asks you what you > want when you install Blackice. I don't recall for sure if it does or not > because it has been several years since I installed it. If it doesn't ask > you the protection level that you want, after you install blackice you can > go into the GUI and go to the firewall tab and under protection level you > can select "trusting: allow all inbound traffic" > > Blackice should run without causing you any trouble so you should have time > to complete the other configuration items. The whole install and > configuration only took me about 15 minutes. I installed it on a dedicated > email server. I don't have any experience with Blackice on a server running > other stuff besides email and webmail. > > Also, you can always stop the Blackice service if you hit a problem. > Blackice does its thing by watching traffic across the network card. If you > stop Blackice then its effectively as if Blackice isn't installed on the > server. When the service is stopped Blackice is gone and all is back as it > was before. > > Attached is the issuelist.csv file which comes with Blackice server. > Blackice uses this file as a database of different types of attacks. Line > 227 had to be modified to indicate an action of IP|RST. The IP|RST tells > Blackice to block the IP of the attacker as the action to take. Ignore the > comments to the far right of line 227. The comments say to block the > attacker if they attempt to send email to 10 non-existent email addresses > within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All > you need to change in this file is to add IP|RST to line 227. The attached > file already has the change. It is from the most current version if > Blackice so if you just bought Blackice you can move the attached file into > the Blackice directory and you're good to go. > > Next, in the Blackice GUI you'll want to go to the firewall tab and put a > checkmark in front of "Enable Auto Blocking"The GUI updates the > firewall.ini file to tell Blackice that auto-blocking is enabled. The line > in my firewall.ini is the following: > > auto-blocking = enabled, 2000, BIgui > > Next, go to the blackice.ini file and manually edit it to add the following > 4 lines: > > > smtp.error.count=6 > smtp.error.interval=30 > pam.smtp.error.count=6 > pam.error.interval=30 > > > The above settings in blackice.ini tells Blackice that if it detects an > attempt to send to 6 non-existent email addresses within 30 seconds then it > should activate the Email_Error action in line 227 of issuelist.csv. We set > the action to be IP|RST (in issuelist.csv) which specifies that the IP > should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The > block of the IP will automatically go away after a specified time. This is > good because an IP is never permanently blocked forever. > > I believe the IP is removed from the blocklist after 24 hours. I have to > find where you specify the length of time that the IP should remain blocked. > I'll post that when I find it. > > Also, on those 4 config lines above you can obviously choose how aggressive > you want to be at blocking email harvesting by setting a different > error.count and error.interval. I figured 6 attempts at bad addresses in 30 > seconds was most certainly
RE: Re[2]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
Can you use eEye's Blink on a mail server? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: 04 January 2008 21:37 To: Howard Smith (N.O.R.A.D.) Subject: Re[2]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement > To replace blackice functions as to load on a server and monitor and > block what applications sends out on individual ports. I have an > offending app or task that trying to send out on random ports , I am > trying to find it and block it Yep, a HIPS like BlackIce can't be replaced by a separate firewall. I have kind of been holding in reserve my newfound love for eEye's Blink, but there it is -- pls contact me off-list for more info if you want. I'm currently rolling it out to 125 stations and find it more than able. I have no relationship to the vendor. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
