RE: [Declude.JunkMail] Blackice Server Settings
Wow, I posted those instructions a long time ago. I didn't know so many people ended up running blackice! I have no plans to replace blackice until a server upgrade means it won't run any more. Hopefully that won't be for several years. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard > Smith (N.O.R.A.D.) > Sent: Friday, January 04, 2008 12:59 PM > To: declude.junkmail@declude.com > Cc: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Blackice Server Settings > > ISS no longer supports blackice and it is no longer in production , what > are users replacing it with ? > > > Howard Smith > . > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Wednesday, September 27, 2006 5:58 PM > To: declude.junkmail@declude.com > Cc: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Blackice Server Settings > > I've gotten some requests to post the information on how to use Blackice > Server to block email harvesting attacks. So here it is! > > > Before you install Blackice Server you must turn Data Execution Prevention > OFF on your server. Blackice and DEP will not coexist. On your server > right click on "MY COMPUTER" then go to properties and then go to advanced. > Under performance, select the SETTINGS button and then click on the Data > Execution Prevention tab. If DEP is listed as enabled for anything, remove > it for the listed services. > > Next, you can install Blackice. > > When you install Blackice server you should install it with the trusting > mode enabled to allow all inbound traffic. I believe it asks you what you > want when you install Blackice. I don't recall for sure if it does or not > because it has been several years since I installed it. If it doesn't ask > you the protection level that you want, after you install blackice you can > go into the GUI and go to the firewall tab and under protection level you > can select "trusting: allow all inbound traffic" > > Blackice should run without causing you any trouble so you should have time > to complete the other configuration items. The whole install and > configuration only took me about 15 minutes. I installed it on a dedicated > email server. I don't have any experience with Blackice on a server running > other stuff besides email and webmail. > > Also, you can always stop the Blackice service if you hit a problem. > Blackice does its thing by watching traffic across the network card. If you > stop Blackice then its effectively as if Blackice isn't installed on the > server. When the service is stopped Blackice is gone and all is back as it > was before. > > Attached is the issuelist.csv file which comes with Blackice server. > Blackice uses this file as a database of different types of attacks. Line > 227 had to be modified to indicate an action of IP|RST. The IP|RST tells > Blackice to block the IP of the attacker as the action to take. Ignore the > comments to the far right of line 227. The comments say to block the > attacker if they attempt to send email to 10 non-existent email addresses > within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All > you need to change in this file is to add IP|RST to line 227. The attached > file already has the change. It is from the most current version if > Blackice so if you just bought Blackice you can move the attached file into > the Blackice directory and you're good to go. > > Next, in the Blackice GUI you'll want to go to the firewall tab and put a > checkmark in front of "Enable Auto Blocking"The GUI updates the > firewall.ini file to tell Blackice that auto-blocking is enabled. The line > in my firewall.ini is the following: > > auto-blocking = enabled, 2000, BIgui > > Next, go to the blackice.ini file and manually edit it to add the following > 4 lines: > > > smtp.error.count=6 > smtp.error.interval=30 > pam.smtp.error.count=6 > pam.error.interval=30 > > > The above settings in blackice.ini tells Blackice that if it detects an > attempt to send to 6 non-existent email addresses within 30 seconds then it > should activate the Email_Error action in line 227 of issuelist.csv. We set > the action to be IP|RST (in issuelist.csv) which specifies that the IP > should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The > block of the IP will automatically go away after a specified time. This is > good because an IP is never permanently blocked forever. > > I believe the IP is removed from the blocklist after 24 hours. I ha
Re: [Declude.JunkMail] Blackice Server Settings
In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on "MY COMPUTER" then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select "trusting: allow all inbound traffic" Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of "Enable Auto Blocking"The GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI yo
RE: [Declude.JunkMail] Blackice Server Settings
ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on "MY COMPUTER" then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select "trusting: allow all inbound traffic" Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of "Enable Auto Blocking"The GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI you can right click on your customer's info in the EVENTS tab and then select the option to trust and accept them. This will prevent them from ever being automatically blocked by Bla
RE: [Declude.JunkMail] Blackice Server Settings
Nice! Thanks Dave. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 11:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on "MY COMPUTER" then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select "trusting: allow all inbound traffic" Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of "Enable Auto Blocking"The GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI you can right click on your customer's info in the EVENTS tab and then select the option to trust and accept them. This will prevent them from ever being automatically blocked by Black
RE: [Declude.JunkMail] Blackice Server Settings
Dave, Could you post the settings for Blackice? It looks like the list does accept attachments. Thanks, From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 21, 2006 2:00 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings I’m leaving town in a little bit and I won’t be back until Sunday. If someone reminds me on Sunday or Monday I’d be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833 toll free 978.499.2933 office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Monday, September 25, 2006 10:53 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings In the past this list would accept attachments. I haven’t seen any lately though. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 21, 2006 2:00 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings I’m leaving town in a little bit and I won’t be back until Sunday. If someone reminds me on Sunday or Monday I’d be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. this is an attachment --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
In the past this list would accept attachments. I haven’t seen any lately though. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Thursday, September 21, 2006 2:00 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server Settings I’m leaving town in a little bit and I won’t be back until Sunday. If someone reminds me on Sunday or Monday I’d be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server Settings
I’m leaving town in a little bit and I won’t be back until Sunday. If someone reminds me on Sunday or Monday I’d be happy to post the settings. Are we able to post attachments to this list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Wiegers Sent: Thursday, September 21, 2006 12:09 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blackice Server Settings Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] Blackice Server Settings
Wanted to start a new thread on this. Dave, Could you post the ini settings for BlackIce that can help with mail servers? Thanks ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
